This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 24%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
Hello Team,
For SSO Entra External ID, how can we enable MFA+OTP option in case the customers are already on Azure/Entra?
For example - We have our app setup on Microsoft Entra External ID and want to onboard customers for Non-Federated access with Email + OTP + MFA method. However as they are already on Azure/Entra, it is most likely setting them up for Auto Federation.
Can this be supported without any action required from customers?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
If the information below has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Thank you for posting this in Microsoft Q&A.
I understand like your customers have accounts in a workforce tenant with Multi-Factor Authentication (MFA) and One-Time Passwords (OTP), and you've set up an application in an external tenant. If my understanding of the issue is incorrect, feel free to post back.The external tenant is where you'll register your apps, create sign-up and sign-in user flows, and manage the users of your apps. The consumers and business customers who sign up for your apps are added to the tenant directory, but with limited default permissions.
Email with one-time passcode is an option in your local account identity provider settings. With this option, the customer signs in with a temporary passcode instead of a stored password each time they sign in. This can be supported without any action required from customers.
For more information: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-authentication-methods-customers#email-with-one-time-passcode-sign-in
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
Please remember to "Accept Answer" if answer helped you.This will help us as well as others in the community who might be researching similar questions.