Share via

How do I enable my custom authentication extension for sending OTP codes to our users for sign in/up

Griffon Lee 0 Reputation points
2025-12-17T17:54:19.7433333+00:00

Hello, I have created a "Custom Authentication Extension" for the "EmailOtpSend" event for my external ID tenant. This tenant is used to manage users accessing our API site.

I have followed various documentation relating to creating one, and setting it up, but there is no clear answer on how to actually use it for the application. Documentation here

I have also seen conflicting answers on whether to assign it in a user flow event, but the only event available in our user flows, no matter if you pick "Email One-Time-Code" in the identity providers, is "Before collecting information from the user" and "When a user submits their information".

The custom extension I have created points to a web-API that takes the data that Microsoft is sending and returns the response that they're expecting. Documentation here

It doesn't look like external tenant is even using the API according to my application insights that's set up for my web app. So that leaves me to believe that there is another place I need to add this custom extension to get it to be used.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. RoryB 275 Reputation points
    2025-12-18T01:09:16.6566667+00:00

    I have successfully got the OTP code sent to the API when I do a "Forgot Password".

    Have you figured the extension under:

    "External Identities | Custom authentication extensions"

    You don't configure it inside the user flow,

    0 comments
  2. Monalisha Jena 4,220 Reputation points Microsoft External Staff Moderator
    2025-12-18T12:18:04.2966667+00:00

    Hello Griffon Lee,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I will try to clarify your doubts and propose you some solutions.

    Will try to clarify your doubts and propose you some solutions as:

    So, you created a custom authentication extension of type EmailOtpSend (OnOtpSend) that points to your REST API.​ For this extension to be invoked, it must be:

    Registered with event type EmailOtpSend (or OnOtpSendCustomExtension in Graph), and

    Assigned to the app registration that uses Email OTP as an identity provider, either via the portal or Graph, effectively setting a custom email provider for that application.​ Without that assignment, the event listener is not bound to your app’s user flow, so the OTP send event never triggers your extension.

    I would suggest you to check some points as below.

    Has admin consent been granted to the app registration created for the extension (API permissions > “Grant admin consent”)?​ In the Applications step of the custom authentication extension wizard, did you actually select the application that uses Email OTP (the app that backs your API site) or tick “Apply to entire tenant”?​ In your External ID user flow, do you have Email one‑time passcode enabled as an identity provider, and is that user flow associated with the same application to which you assigned the extension?​ Are you testing with that specific user flow (sign‑up/sign‑in) from the corresponding application?

    Till then would recommend you some solutions.

    Microsoft’s official guidance for custom email OTP providers lays out three main steps: build the API, create the custom auth extension, and assign it to the app.​

    1. Verify the extension is correctly created

    You can follow Configure a custom email provider for one time passcode to confirm your extension setup:​

    • Go to Microsoft Entra admin center > Identity > External Identities > Custom authentication extensions.
    • Open your extension and verify: Event type is EmailOtpSend.​ Target URL is your function/API endpoint URL. Timeout / retries / error handling are configured appropriately (e.g., fallback to Microsoft default email OTP or show error, as needed).​

    In API permissions of the generated app registration, click Grant admin consent for the tenant so Entra can obtain tokens to call your API.​

    Please do refer below docs for better understanding:

    https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-overview

    https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-email-otp-get-started?tabs=azure-communication-services%2Cazure-portal

    1. Assign the custom email provider to your application

    This is the critical missing step. You must associate the extension with the app that uses Email OTP:

    In the portal wizard (Step 3 of the article):

    While creating/editing the custom authentication extension, go to the Applications tab.

    Select the app registration that corresponds to your API site / user flow (for example, “My API app”).

    Optionally choose “Apply across the tenant” if you want it global.​

    Or via Microsoft Graph, call the assignment section shown in Step 3.4 Assign a custom email provider to your app:​

    Use POST to /beta/identity/customAuthenticationExtensions to create the extension (already done), then

    Use the documented request to link {customExtensionObjectId} to your application (using EventListener.ReadWrite.All delegated permission).​

    Until this assignment is in place, your app’s Email OTP flows will still use the default Microsoft email provider.​

    1. Confirm the user flow and application are aligned

    In External Identities → User flows, open the relevant sign‑up/sign‑in flow.

    Ensure Email one‑time passcode is enabled as an identity provider for that flow.​

    Ensure your application is configured to use this user flow (reply URL, policy name, etc. depending on your app type).

    When a user signs up or signs in with Email OTP using that user flow, Entra should trigger the OnOtpSend event; because your app is assigned, the custom extension must be invoked.​

    1. Validate that the API is called

    Use the reference for EmailOtpSend event data to check that your API processes the request correctly:​

    The request body will contain:

    The user email (identifier).

    The OTP.

    Context info (application, locale, etc.).​

    Log the incoming body and headers in your API and confirm requests arrive when you trigger Email OTP sign‑up/sign‑in.

    Please do refer below doc for better understanding:

    https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-email-otp-send-data

    1. If still not invoked, double‑check scope and preview limitations

    Confirm your tenant is an External ID tenant and that custom email provider / EmailOtpSend is available and enabled (feature is GA/preview depending on time; docs note it applies to external tenants).​

    Check that you are testing scenarios that actually use Email OTP (sign‑up via email address, sign‑in via Email OTP, password reset via Email OTP, or Email OTP MFA) because only those trigger OnOtpSend.​

    Please do refer below links for better understanding:

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock

    https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-user-experience

    https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa

    https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-email-otp-send-data

    Hope this helps!

    If you need more info, feel free to ask in the comments. Happy to help!

    Regards,

    Monalisha

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.