How to enable MFA for entra external tenant

Question

How to enable MFA for entra external tenant

Pranav 20

How to enable the Phone One-Time Passcode (OTP) feature in my Microsoft Entra External ID (CIAM) tenant so that I can collect phone numbers and enforce MFA via SMS.

Accepted answer

0 additional answers

Your answer

Answer 1

Sanoop M 4,050 Microsoft External Staff Moderator

Hello @Pranav,

Email one-time passcode:

After the user signs in with their email and password, they are prompted for a passcode that is sent to their email. To allow the use of email one-time passcodes for MFA, set your local account authentication method to Email with password. If you choose Email with one-time passcode, customers who use this method for primary sign-in won't be able to use it for MFA secondary verification.

When email one-time passcode is enabled for MFA, the user signs in with their primary sign-in method and is notified that a code will be sent to the user's email address. The user chooses to send the code, retrieves the passcode from their email inbox, and enters it in the sign-in window. The user must complete this verification process within 10 minutes.

Please note that you can enable the Phone One-Time Passcode (OTP) feature in your Microsoft Entra External ID (CIAM) tenant by following the below mentioned steps.

Prerequisites:

A Microsoft Entra external tenant.
A sign-up and sign-in user flow.
An app that's registered in your external tenant and added to the sign-up and sign-in user flow.
An account with at least the Security Administrator role to configure Conditional Access policies and MFA.
SMS is an add-on feature and requires a linked subscription. If your subscription expires or is canceled, end users will no longer be able to authenticate using SMS, which could block them from signing in depending on your MFA policy.

Enable email one-time passcode as an MFA method

Enable the email one-time passcode authentication method in your external tenant for all users.

Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Browse to Entra ID > Authentication methods.
In the Method list, select Email OTP.
Under Enable and Target, turn the Enable toggle on.
Under Include, next to Target, select All users.
Select Save.

Reference document for detailed guide which will be helpful:

Add multifactor authentication (MFA) to a customer app - Microsoft Entra External ID | Microsoft Learn

I hope the above information provided is helpful. Please feel free to reach out to us if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"

Sanoop M 4,050 Reputation points Microsoft External Staff Moderator

2025-06-06T09:35:15.7033333+00:00

Hello @Pranav,

I am following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Pranav 20 Reputation points

2025-06-06T18:26:11.17+00:00

Thanks for the information, Sanoop, But unfortunately I am specifically looking for the steps/config to send MFA through SMS. This is the requirement from my business. So it would be would be great If you can explain how to link a subscription to an entra external id and setup MFA through SMS . When I created the entra external I linked to a subscription but if I navigate to External Identities -> Linked subscriptions , it shows "This feature is unavailable or doesn't apply to the current tenant configuration"
Sanoop M 4,050 Reputation points Microsoft External Staff Moderator

2025-06-09T06:46:48.4766667+00:00
Hello @Pranav,

Thank you for your response.

Email one-time passcode:

When email with one-time passcode is selected as the first-factor authentication method, it can't be used for second-factor verification. Therefore, only SMS-based verification can be enabled for MFA.

SMS-based authentication

SMS is available at additional cost for second-factor verification in external tenants. Currently, SMS isn't available for first-factor authentication or self-service password reset in external tenants.

When SMS is enabled for MFA, users sign in with their primary method and are prompted to verify their identity with a code sent via text. They enter their phone number and receive an SMS with the verification code.

SMS pricing tiers by country/region

The following table provides details about the different pricing tiers for SMS based authentication services across various countries or regions. For pricing details, see Microsoft Entra External ID pricing.

SMS is an add-on feature and requires a linked subscription. If your subscription expires or is cancelled, end users will no longer be able to authenticate using SMS, which could block them from signing in depending on your MFA policy.

Enable SMS as an MFA method

Enable the SMS authentication method in your external tenant for all users.

Sign in to the Microsoft Entra admin center as at least a Security Administrator.

Browse to Entra ID > Authentication methods.

In the Method list, select SMS.

Under Enable and Target, turn the Enable toggle on.

Under Include, next to Target, select All users.

Select Save.

Reference documents which will be helpful:

MFA in external tenants - Microsoft Entra External ID

Add multifactor authentication (MFA) to a customer app - Microsoft Entra External ID

Please let me know if you have any queries.
Pranav 20 Reputation points

2025-06-09T19:17:42.15+00:00

Thanks I think this is what I am looking for . Thanks for your help

Share via

How to enable MFA for entra external tenant

0 additional answers

Your answer