External MFA in Microsoft Entra ID is GA, enabling integration with third-party MFA while maintaining Conditional Access and risk-based policies.
Multifactor authentication remains a foundational control for securing user identities, especially as organizations adopt Zero Trust and respond to increasingly targeted identity attacks.
Microsoft’s research shows that MFA reduces the risk of account compromise by more than 99 percent. Microsoft Entra ID already offers a broad set of native MFA options.
Now, with the GA of external multifactor authentication (external MFA)—previously known as external authentication methods—you can integrate trusted third-party MFA providers while continuing to rely on Microsoft Entra ID as your central identity control plane.
Why External MFA matters
External MFA is designed for organizations that:
- Use a third-party MFA solution to meet regulatory or business requirements
- Need to support specific scenarios, such as mergers and acquisitions
- Want to unify MFA experiences under a modern identity system
Built on the OpenID Connect (OIDC) standard, external MFA allows you to integrate your preferred MFA provider into Microsoft Entra ID without sacrificing security or policy enforcement.
Figure 1: Configure external MFA in Microsoft Entra ID
How it works
Once configured, external MFA is managed alongside native Microsoft Entra ID authentication methods—giving administrators a single pane of glass for all authentication methods.
Every sign-in still goes through full policy evaluation, including real-time risk assessment and Conditional Access.
Figure 2: Sign-in with external MFA
Integrating external MFA with Conditional Access allows administrators to align authentication prompts with their organization’s security and business objectives by using sign-in frequency and session controls. When these policies are properly tuned, they strike the right balance between reauthentication and user productivity. However, overly frequent reauthentication can degrade user experience and can even increase phishing risk by conditioning users to approve prompts without careful review. To avoid these issues, we recommend following Microsoft’s reauthentication guidance when configuring your Conditional Access policies.
Migration from Custom Controls
External MFA replaces Custom Controls, which will be deprecated on September 30, 2026. Existing configurations will continue to work during the transition period. We’ll share detailed migration guidance soon to help you move to external MFA before the retirement date.
Start integrating external MFA today by following our step-by-step guide on Microsoft Learn.
Thank you to our customers and MFA solution partners for your feedback during the preview phase. Your input helped shape this release.
-Swaroop Krishnamurthy
Principal Product Manager
Microsoft Entra ID
Additional resources
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft