How to use Entra External Authentication Method in Authentication Strengths?

Question

We have our own external authentication method. We want to add this method as an additional step along with the built-in MFA. For example, if a user has Microsoft Authenticator (passwordless) as their MFA, they need to login using that after successful authentication the External Authentication method should kick in.

Currently, it is possible to activate either one. We need to combine both. Is there a way to achieve this scenario? Microsoft doesn't support EAMs in authentication strengths otherwise a simple conditional policy would have been the solution.

Answer 1

Hi @Govind Krishna ,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

There's a recommended way in the public documentation that may meet your needs:

Using EAM and Conditional Access custom controls in parallel

EAMs and custom controls can operate in parallel. Microsoft recommends that admins configure two Conditional Access policies:

One policy to enforce the custom control

Another policy with the MFA grant required

Include a test group of users for both, because if a user is included in both policies, or any policy with both conditions, the user has to satisfy MFA during sign-in. They also have to satisfy the custom control, which makes them redirected to the external provider a second time.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage#using-eam-and-conditional-access-custom-controls-in-parallel

Kindly let me know if this work for you and please let me know if you have any further question.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,
Eric