External MFA in Microsoft Entra ID is now generally available

Great to see external MFA reach GA—this is an important step for organizations that rely on third-party MFA providers while still leveraging Conditional Access and risk-based controls in Microsoft Entra ID.

That said, to fully unlock its potential, external MFA needs to evolve beyond being limited to a secondary factor.

In many European public sector organizations, there is already widespread use of nationally and internationally approved eID schemes (e.g., eIDAS-aligned identities). These are high-assurance authentication methods, and there is a strong need to be able to reuse these existing investments directly in Entra ID, rather than introducing parallel authentication mechanisms.

In particular, it would be valuable to see:

• Support for external MFA as a primary authentication method, enabling true passwordless scenarios
• A clear path to retire AD FS / federation dependencies, where external MFA could replace federated authentication flows
• Integration with authentication strengths, so external methods can be evaluated consistently in Conditional Access
• Support for SSPR flows, enabling external methods to be used across both sign-in and recovery scenarios

These capabilities would make external MFA a first-class citizen in Entra’s authentication model, support reuse of trusted eID ecosystems, and strengthen the overall move toward passwordless and identity-first security.