Microsoft hands Entra ID users new option for MFA

Organizations rely on MFA to enforce identity checks before granting access to systems and services. Microsoft has made external MFA generally available in Microsoft Entra ID, expanding support for third-party identity providers.

Configure external MFA in Microsoft Entra ID (Source: Microsoft)

External MFA supports organizations that use third-party MFA solutions to meet regulatory or business requirements, handle scenarios such as mergers and acquisitions, or maintain a consistent MFA approach within Microsoft Entra ID. Built on the OpenID Connect (OIDC) standard, it enables integration of a preferred MFA provider while maintaining Conditional Access and policy enforcement.

Once configured, the external method becomes part of the tenant’s authentication methods policy as an external authentication method configuration. Administrators can assign it to specific user groups, including or excluding groups as needed, and manage it alongside built-in authentication options. Organizations must grant administrative consent so the external provider can access required user information during authentication.

“Integrating external MFA with Conditional Access allows administrators to align authentication prompts with their organization’s security and business objectives by using sign-in frequency and session controls. When these policies are properly tuned, they strike the right balance between reauthentication and user productivity,” Swaroop Krishnamurthy, Principal Product Lead at Microsoft , explained.

“However, overly frequent reauthentication can degrade user experience and can even increase phishing risk by conditioning users to approve prompts without careful review. To avoid these issues, we recommend following Microsoft’s reauthentication guidance when configuring your Conditional Access policies,” Krishnamurthy continued.

During sign-in, Microsoft Entra ID evaluates applicable policies and prompts for MFA when required. If the external method is available, users can complete the second authentication factor through the external provider. Microsoft Entra ID validates both the initial sign-in and the external verification before granting access.

Microsoft said the capability provides more flexibility in how organizations implement MFA while keeping enforcement and policy evaluation centralized within Entra ID.

External MFA replaces Custom Controls, which will be deprecated on September 30, 2026. Existing configurations will continue to function during the transition period. Microsoft plans to publish migration guidance ahead of the retirement date.