When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft's new Entra ID feature fixes a huge MFA limitation

Microsoft Entra ID adds third-party MFA support, letting enterprises integrate external providers while replacing Custom Controls by 2026.

Neowin · · Hot! with 3 comments

The MIcrosoft Entra ID logo

Microsoft Entra ID, formerly known as Azure Active Directory (AAD), is one of the most used cloud-powered identity and access management (IAM) systems used in enterprise environments. Although it supports multifactor authentication (MFA) through various methods such as Microsoft Authenticator, Windows Hello for Business (WHfB), SMS, calls, and more, it has not supported external MFA until today.

Today, Microsoft has announced the general availability of third-party MFA in Entra ID. What this means is that organizations can now entrust third-party MFA providers with external authentication, while maintaining the use of Entra ID as the central identity control platform.

Microsoft has noted that this change will benefit customers who leverage third-party MFA providers to meet compliance requirements, need to support specialized scenarios such as post-mergers, or want to unify all their heterogeneous MFA solutions under one umbrella. Since Entra ID leverages OpenID Connect (OIDC) for this implementation, any supported third-party provider can now be integrated into your infrastructure.

Once external MFA is integrated with Conditional Access (CA), end-users should begin seeing trusted third-party providers during the authentication process. Microsoft has encouraged IT admins to properly tune their authentication policies to achieve balance between security and productivity, as frequent reauthentication increases the risk of phishing and degrades the user experience overall.

It's worth noting that external MFA in Entra ID is a direct replacement for Custom Controls, which will be deprecated on September 30, 2026. Existing implementations will continue to work until then, and Microsoft will be providing detailed guidance regarding the process to migrate from Custom Controls to external MFA in Entra ID.

Overall, this is a major improvement for enterprise customers who want to use Microsoft's IAM solutions, but still want to give end-users the option to choose from their preferred, trusted MFA provider. The continued usage of OIDC MFA flows should also offer interoperability, flexibility, and standardized integration with existing IAM solutions.

PlayStation Studios
Next Article

Sony closes another PlayStation studio, cuts staff across other divisions

koofr logo on datacenter background created with copilot
Previous Article

1TB of Koofr Cloud Storage for just $159.99 with this coupon code is still live

3 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here