![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 89%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
- Microsoft Entra External ID (CIAM) does not support replacing the built‑in SMS MFA delivery with a third‑party SMS provider. In external tenants, SMS is described as a Microsoft‑managed, add‑on second‑factor method that includes built‑in fraud checks (CAPTCHA, throttling, regional restrictions, phone number reputation) and safeguards against telephony fraud. There is no documented mechanism to intercept or override the SMS send/verify flow with a custom SMS provider in the MFA pipeline, unlike the flexibility available for email OTP. SMS MFA is explicitly positioned as a platform feature:
- It is only available as a second factor.
- It is tied to a linked Azure subscription and Microsoft’s own telephony and fraud‑protection stack.
- Fraud controls (including phone number reputation and regional protections) are part of the Microsoft‑managed SMS flow and not exposed for replacement.
- The officially recommended pattern for advanced SMS scenarios is not to bring your own SMS gateway, but to add third‑party fraud protection in front of Microsoft’s SMS MFA while still using Microsoft Entra External ID to issue and validate the OTP. The guidance for native applications using SMS‑based MFA is:
- Use Microsoft Entra External ID’s SMS MFA as the OTP issuer/validator.
- Integrate a third‑party fraud protection provider (for example, Human Security or Prove) into the native app.
- Collect device, behavioral, and network signals via the provider’s SDK.
- Call the provider before triggering SMS MFA and classify the risk of the sign‑in attempt.
- Place a customer‑managed web application firewall (WAF) in front of Microsoft Entra External ID endpoints.
- The WAF enforces the fraud decision:
- Low/acceptable risk → forward the request so Entra External ID sends the SMS OTP.
- High risk requiring extra verification → complete provider‑specific challenge before continuing.
- High risk with failed evaluation → block the request; no SMS OTP is sent.
- Microsoft Entra External ID continues to own SMS OTP delivery and verification.
- The third‑party provider and WAF control whether a given request is allowed to reach Entra’s SMS endpoint.
- This reduces exposure to IRSF and account takeover while preserving Microsoft’s built‑in protections and subscription‑based SMS model.
- No roadmap or official guidance in the provided material indicates support for custom/bring‑your‑own SMS OTP providers in External ID MFA. The current guidance focuses on:
- Using Microsoft Entra External ID’s own SMS MFA as the second factor.
- Linking the external tenant to an Azure subscription to enable SMS as an add‑on feature.
- Enhancing protection against IRSF and other telephony fraud by integrating third‑party fraud protection ahead of the SMS challenge, not by replacing the SMS transport.
- An event such as
smsOtpSend. - A pluggable SMS provider model for MFA.
- A roadmap commitment to support custom SMS OTP providers in External ID MFA.
References: