Microsoft Makes External MFA Generally Available in Microsoft Entra ID

Microsoft has made external multi-factor authentication (MFA) generally available in Microsoft Entra ID. The update enables organizations to seamlessly integrate third-party MFA providers into their authentication workflows without losing centralized control.

Previously, organizations using Microsoft Entra ID had little flexibility when they wanted to rely on third‑party multi‑factor authentication tools, which often forced them to choose between Microsoft’s native MFA or custom integrations. This limitation made it difficult for companies to meet regulatory requirements, retain existing MFA investments, or manage complex environments, such as mergers.

Why external MFA matters for enterprise identity security?

According to Microsoft, this new feature allows organizations to use external authentication systems with Microsoft Entra ID for user verification. It lets administrators route authentication requests to third-party MFA providers while maintaining identity management within Microsoft’s platform.

Microsoft noted that external MFA relies on the OpenID Connect (OIDC) standard, allowing integration without compromising security controls or policy enforcement. The company says even when an external MFA provider is used, every sign‑in continues to pass through full Microsoft Entra ID policy checks, including Conditional Access rules and real‑time risk assessment.

“Integrating external MFA with Conditional Access allows administrators to align authentication prompts with their organization’s security and business objectives by using sign-in frequency and session controls. When these policies are properly tuned, they strike the right balance between reauthentication and user productivity. However, overly frequent reauthentication can degrade user experience and can even increase phishing risk by conditioning users to approve prompts without careful review,” Microsoft explained.

Replacing Custom Controls: What organizations need to know

Microsoft mentioned that external MFA replaces “Custom Controls” that will be deprecated on September 30, 2026. Keep in mind that existing setups will continue to work during the transition, and the company will share detailed guidance to help organizations transition to external MFA before the retirement date.

Identity‑based attacks are a favored tactic for cybercriminals because compromised credentials allow them to bypass traditional defenses, which makes multi‑factor authentication an important protection rather than an optional safeguard. The new external MFA feature directly strengthens this baseline by enabling organizations to use proven third‑party MFA solutions within Microsoft Entra ID. It helps to ensure strong authentication can be consistently enforced across users and applications without weakening centralized security controls.