Dr Nestori Syynimaa 
Check out the blog I wrote with Sravan Akkaram on "Bypassing #AzureAD home tenant #MFA & CA"
π https://aadinternals.com/post/ests/
TL;DR:
βͺ Home tenant admins CAN'T enforce home tenant CA if users login directly to resource tenant
βͺ User's tenant information can be viewed by logging in to resource tenant
This has at least two implications:
1οΈβ£ This allows adversaries to gather users' tenant membership information with just username and password by logging in to any B2C resource tenant.
2οΈβ£ Adversaries can pivot to other tenants which may or may not have MFA/CA
MSRC advised using "Cross-tenant access settings", but that only allows home tenant admins to block or allow access to all or specific resource tenants. It does not allow them to enforce home tenant MFA/CA.
Bypassing Azure AD home tenant MFA and CA
Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD usersβ identities. For instance, one may allow access only from compliant devices and require MFA from all users. However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. This blog post tries to shed some light on how Azure AD authentication works under-the-hood. Weβll introduce the issue, describe how to exploit it, show how to detect exploitation, and finally, how to prevent the exploitation. The blog is co-authored with @SravanAkkaram and is based on his findings.
β
β