This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 49%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Overview:
Our team recently created a "Microsoft Entra ID for Customers" resource which we are attempting to configure for our use case. For said use case, multi-factor authentication is required and needs to be configured the first time a customer logs in. Currently, we create a User (Customer template) via the Graph API and assign said user an email and password then share those credentials with our customer. When they log in for the first time, a "We couldn't sign you in - An additional verification method is required to access this site or app." message appears, halting the user flow. Our understanding is that this message appears because MFA is required and the user has no configured MFA method. Our expectation is that an MFA configuration wizard should be launched whenever this occurs.
Steps Taken:
After looking through the existing Entra ID documentation, we stumbled upon the following article which seemed to perfectly encapsulate the problem we needed to solve and prescribed a solution to it:
In the above article, it's stated that users can set up a new MFA method the next time they sign in if no authentication methods exist for said user. After making a GET request on the newly-created user's authentication methods, we noticed that the user had no configured authentication methods (except password). Given that no documented way exists to delete the password authentication method, we didn't know how else to proceed.
As a temporary solution, we prescribed an authentication method of email for the customer which functioned as expected. With this solution, the customer is asked to provide a one-time email code whenever they sign-in and the user flow is no longer halted.
In case it's useful, we are testing this user flow via the Entra admin center's "Run User Flow" tester which is also where we've encountered the aforementioned problems.
Problem & Assistance Needed:
Given the above information, if a customer only has an authentication method of "password," shouldn't they be prompted to configure a new MFA method? If not, is it because the password authentication method still exists? Could this be an issue in how we've configured MFA within the Entra admin center? Our desire is for customers to be able to configure the MFA method of their choice when logging in for the first time.
Thanks so much for any help, guidance, or direction!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Lance Tallman ,
Thanks for reaching out.
I am checking on this and will revert you on this.
Thanks,
Shweta
Hi @Lance Tallman ,
Thanks for reaching out.
As this feature is currently in preview. So, all the functionalities are not available as of now.
The document you are referring is of Microsoft Entra ID. Unfortunately, re-register the MFA is not currently supported in Microsoft Entra External ID for customers.
For External Entra ID for customers, as of now you can enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.
I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 96%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
Thank you for the response Shweta! Lance is out of the office this week so I'm relaying the fact that we'll move forward using Email OTP as the only MFA method.