![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 36%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Hi Santhosh,
Thank you for posting your query on Microsoft Q&A.
If users are unable to sign in with Google after you've enabled Multi-Factor Authentication (MFA) in your Conditional Access policies, it’s a known issue in Microsoft Entra ID. This can happen when MFA isn’t properly set up to trust Google, or if the Conditional Access policies are too restrictive for external users.
Pease follow the steps below to fix the issue:
1. Set Up MFA Trust for Google Users
- Go to Microsoft Entra admin center > External Identities > Cross-tenant access settings.
- Make sure that both inbound and outbound MFA trust is enabled. This ensures that Google users who have already completed MFA won’t be blocked or prompted to do MFA again when signing in.
- This step helps Google users authenticate smoothly even when MFA is required.
2. Review Your Conditional Access Policies
- Double-check that your Conditional Access policies apply to the correct users, including external Google users.
- You may want to temporarily relax some restrictions like device compliance and session controls for external users to avoid accidental blocks.
- Also, ensure that the MFA requirement in your policies is set up correctly for external authentication.
3. Use a Combined Sign-Up and Sign-In Flow
- Instead of using separate sign-in and sign-up flows, set up a combined user flow (SignUpSignIn). This will help users who don’t have an account yet sign up easily while trying to log in.
- Note: Microsoft Entra doesn't automatically switch a Google sign-in attempt to sign-up if the user isn’t registered yet, so users will need to manually sign up if they’re new.
4. Enable Self-Service Sign-Up for New Google Users
- To make it easier for new Google users, enable self-service sign-up by going to External Identities > External collaboration settings.
- This will allow new users to register themselves, helping them avoid errors when trying to sign in for the first time.
5. Check the Sign-In Logs
- Go to Microsoft Entra admin center > Monitoring & health > Sign-in logs.
- Review the logs to find specific errors related to MFA or Conditional Access policies. This will help you understand what’s blocking the sign-in and allow you to troubleshoot more effectively.
Additional Resources:
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly Upvote it.