![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 1%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Hi, from what you’re describing, you’re effectively adding a second email, not replacing the Microsoft one. The EmailOtpSend Custom Authentication Extension is meant to let you plug in an alternative email provider for the Email one-time passcode scenario (mainly for Entra External ID). In that model, Microsoft should not send its own OTP email unless you explicitly enable the fallback to Microsoft provider (which only kicks in if your API fails). So if you’re in that flow and you’re seeing duplicates, the first thing to check is that fallback isn’t enabled and that the extension is correctly assigned to the app.
However, if what you’re really doing is trying to customize or replace the standard workforce MFA email OTP in a normal Entra ID tenant, then this is the key point: there is no supported way to suppress the built-in Microsoft MFA email when using a Custom Auth Extension. Custom extensions are not designed to override or replace the default MFA notification mechanisms; they only augment specific flows (like External ID email OTP).
If your goal is truly to bring your own MFA experience (and your own email or OTP delivery), the supported path is to use External Authentication Methods (preview) and integrate an external MFA provider, rather than trying to intercept or replace the native email OTP flow.