Howdy folks,


Today, I would like to update you on our work to enable use of third-party multi-factor authentication (MFA) providers with Azure Active Directory (Azure AD). Customers have asked to use their existing third-party MFA investments with Azure AD. We provided a preview of this capability by extending Conditional Access through custom controls. Based on customer feedback, it is clear that this approach is too limited, so we are redesigning the feature to ensure we can give you all the functionality you’ve asked for.


We are planning to replace the current preview with an approach which will allow partner-provided authentication capabilities to work seamlessly with the Azure AD administrator and end user experiences. Today, partner MFA solutions can only function after a password has been entered, don’t serve as MFA for step-up authentication on other key scenarios, and don’t integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios including registration, usage, MFA claims, step-up authentication, reporting, and logging.


The current, limited approach will be supported in preview until the new design is completed, previews, and reaches “General Availability.” At that point, we will provide time for customers to migrate to the new implementation. Because of the limitations of the current approach, we will not onboard any new providers until the new capabilities are ready.


We are working closely with customers and providers and will communicate timeline as we get closer.


We always love to hear your feedback and suggestions and look forward to hearing from you! Let us know what you think in the comments below or reach out to us on Twitter (@azuread). 


Best Regards,

Alex Simons (@alex_a_simons)

Corporate Vice President

Microsoft Identity Division

Occasional Contributor

Hi Alex,

Amazing future capabilities, love the possibilities that will take us away from the old static approach to a more modern and dynamic world. Identity (even I(dentity)a(s)C(ode)) is always an essential part, done right it will have the future impact on how modern software systems are developed, designed, configured, deployed, monitored, integrated and how they utilizes modern security concepts. But first and foremost, this will probably put the company in focus; those who own the apartment (tenant) whether it's in the public sector, private sector or international organizations. We need even better possibilities to stop identity theft..

Best regards

New Contributor


Regular Visitor

Hi Alex - This is good news.  We have been using custom controls since they came out, we have probably experienced first hand most of the limitations.  Due to some of the current limitations we had put ADFS :( back into the authentication flow, hopefully these improvements will allow ADFS to be removed, while keeping our third party MFA.


We added ADFS back in to send a static MFA claim as we hit a problem with Windows hello requiring the user to enrol into MS MFA as the custom control did not satisfy the the "MFA Claim".

New Contributor

This is encouraging news! We have been using the custom controls for over a year now and can relate to some of the challenges mentioned. We'd love to participate in the private preview, whenever you are ready.

Senior Member

Hi Alex,


What are the expected timeframe for this new capabilities for 3rd party MFA, to be available for customers? Either as public or private preview?


Regular Visitor

Hi @Alex Simons (AZURE) ,


I second @Rasmus Andersen's question: when is the plan for this to be available? It is already July and we do not have a timeline.


We have a 3rd party Vendor partner that needs access to a feature to MFA Microsoft Azure AD Accounts directly and it would be nice if we could use this product in conjunction with yours the same way companies like DUO already have been able to... The limitations of this method are there but the functionalities for some companies were just fine.


Thanks for any info you can give!


Hi @Rasmus Andersen@GameGeek126  - I've sent you both a message, please check your inbox and let me know if you would like to chat. 

Occasional Visitor

I am also very interested in timeline for these planned changes. We are developing some new procedures to support our use of Azure Lighthouse and these changes could be impactful for us.

Senior Member

1) Is this new mechanism going to be applicable per-group or per-user, rather than all-or-nothing for the whole tenant? (like AAD Security Defaults does) At the moment we are using a CA custom control + CA policies to enforce Duo for most of our users, and this is done by scoping the CA policies to security groups. However, we have some accounts that are getting Azure MFA, or no MFA and very strict login restrictions, enforced by other CA policies. (Service accounts, admin accounts, etc)


If this new mechanism is not equally as granular as requiring a custom control in a CA policy is, then we're about to be in a world of hurt, because it sounds like the ultimate plan is for custom controls to go away period.


2) At the moment, when using CA custom controls/policies to enforce Duo, we see that certain things that require MFA (namely, Windows Hello for Business) do not work. Seems that it's because it only supports Azure MFA or AD FS + 3rd party MFA. Anything like setting a sign-in PIN on a HAADJ device won't work because it asks for an Azure MFA code that users simply don't have.


Is this one of the scenarios that the new mechanism will now allow to work?

Senior Member

Thanks for this news. We currently use Symantec VIP custom control and is affected by the above mentioned limitations such as the lack of Identity Protection policy support.


Is there any further updates or timeline?

Occasional Visitor

Thank you very much for this information.  We'd like to know the detail when it is ready.


Where should we watch to get new information of this new feature?
Especially we'd like to know if this new MFA approach allow the customer to use 3rd party IDp via standards or not.


Best Regards,

Regular Visitor

@Inbar Cizer Kobrinsky  Hi Inbar, we are also looking to integrate with this feature as a third party vendor. Can you elaborate on when and how this should be done?

Occasional Visitor


We are evaluating to use Conditional Access for our company.

One of the main feature that we would want is :

  defining our own conditional access policy criteria. That is apart from geo-location, ip-addresses ,intune status etc.. we want to have our own criteria which will validate the request by its own logic. 

Example of the logic could be : If the GeoLocation says Japan && Time is off-working hours && Our Anti-Virus says the device has some malware. Block the access 

I can think of 2 way to do this : 

1. Add another option in Conditional Access -> Conditions -> "Custom Policy Check". And have an option to add scripts or pass request to another Validation Proxy Server.

2. In Conditional Access -> Custom controls, allow us to define our own MFA provider. Basically, like DUO and others who do 2FA, we would want to setup our own validation server which does checks for our custom policies.


I am not sure if there is already a way to do something like this, I could't find it in docs yet.

Can you direct me to anything which could help us achieve C? Is there a plan in future to have 

Established Member

Hello Alex & Inbar,


We have a unique biometric (handwriting-based) MFA solution and are interested in integrating as a third-party vendor as well.  We have a very large Azure AD customer that is looking to add our MFA capabilities as soon as possible, so we would like to be able to provide a timeline for them. Can you contact me to discuss?  Thanks.


Best regards,


would love to be part of any private/public preview of this. we are using DUO would love to swap over to make it more seamless for the users for enrollment, password reset etc. 


also would love to make sure it works as expected with thick apps on mobile devices. we tried to swap MS Teams apps MFA to DUO and see constant prompts. 


we also are using a custom fingerprint based 2fa, which we have setup as a second SAML call to that system. hoping your new method leverages standards like SAML with the ability to choose the attribute you pass.


why stop at 2 factor, let us choose our own MFA flow. 

Senior Member

@Alex Simons (AZURE) 


Custom control doesn't work with Device registration.  We have enabled Custom control with Ping ID and MFA works Ok for accessing Outlook/Teams etc however doesn't work during Device Registration.

During Device Registration user is redirected to Azure MFA page instead of Ping and the process errors out. I have tested with Android and iOS so far. these devices are not enrolled in Intune. we just use Intune-WE.


I have also opened support ticket but its beyond support engineers.


Wondering if your team are aware of this and if this will be resolved.




Occasional Visitor

Is Okta one of the supported providers now?


We are planning to use this for Intune-WE device registrations as well:


Thanks for the response in advance!

Occasional Visitor

Do you have details or updates on the timeline to launch this?

Thanks a lot!

Occasional Contributor

Hi Alex,

Looking forward to be even more Ignite'd and it's excellent to see even more of the B2C functionality moving into the main tenant through external identities. In B2C I have utilized the I(dentity)E(xperience)F(ramework) to use other external IDP’s as yet another MFA factor. I just love the flexibility of extending the user journeys; making it possible to do alot more and also handling different external claims, migration and REST calls. The callbacks concepts through the idp_access_token extend the possibilities even further. With also more future oriented possibilities to do even greater conditional access concepts in the clouds, this journey has just started...

I have also tried out some concepts where you have one cloud identity to many different IDP’s going from a static to more dynamic concept where you can be in a privilege role just when you need to: the shortest time similar as the PIM based concepts. I have also addressed some new concepts to pass the access token more securely through an authentication chain or do a more structured logout concept. Just amazing what you can do in future oriented proper clouds…

Best regards

Senior Member

Are there any Ignite sessions that explain and demonstrate these upcoming changes?  There's been no new info for half a year.

Occasional Visitor

Hi @Alex Simons (AZURE) ,


I participated in the Microsoft Ignite Conference, but I am still not sure when the GA is available. We some place using OneLogin MFA, some using DUO. So we developed our own version of MFA. We want to integrate the Azure AD through conditional access / custom control.


I have similar like others:  When GA is available?  And how to on board our MFA app to be part of solution provider for MFA?  Thanks. 

Occasional Visitor

Do you have any new update on this? We are looking at PingID for MFA so would like to get a sense of timing/roadmap for this before making a decision. 


Many thanks.

Occasional Visitor

HI @Alex Simons (AZURE) 


Any update on the status of this new functionality?  I haven't seen it in the portal, or seen any new announcements about it.


Thanks in advance,



Regular Visitor

Any updates?


we have a 3rd party provider (WatchGuard AuthPoint) that is required to do things using federation until Microsoft comes out with this “new method” or until they allow WatchGuars as a Authenticatjng service in custom control until the service comes out...


Prohibiting 3rd party vendors after giving access to vendors like Duo and then allowing DUO to work while others can’t even get into the mew program causes steep issues with inequitable competition to those who come out with newer competitive products and allows products like DUO to have an edge in competitors just because they were around longer.


Established Member

Hello Alex,


We understand that COVID threw a wrench in the development efforts on this project, but we would appreciate an update on the status. It has been almost 10 months since you announced this upcoming capability and our mutual customers have repeatedly been asking us when this will be available. MFA is critical for improving security, but not all MFA's are equally secure (as noted by Alex Wienert in his blog post "It's Time to Hang Up on Phone Transports for Authentication" on 11/20/2020) and pushing users to the limited other MFA providers (like MSFT's Authenticator App) is frustrating and seems to be anti-competitive. 


Is there either a timeline or guidance on a workaround to incorporate other MFA systems? 


Thanks in advance for your reply.


Echoing the sentiments above, we are eagerly awaiting more details on this announcement.


We are currently utilizing PingID for MFA against Office 365 and have been looking to extend this into other areas of Azure to replace dependencies on the native MFA service. To know that something was in the works to address the limitations with the current preview functionality was great, but it has been frustrating to be in limbo awaiting more details for close to a year now.


Any foresight or guidance on when we might expect to hear more would be greatly appreciated.