Entra External ID - Activate MFA for users and still use Microsoft default security settings

Question

Entra External ID - Activate MFA for users and still use Microsoft default security settings

TECHZARD 0

Hello,

We have implemented Entra External ID, but the users are not getting any MFA when logging in.

When locking at Entra External ID settings. It looks like there is a security policy in place which should activate MFA when considering a log in attempt to be suspicious. However, so far we have not been able to trigger MFA on any of our login attempts.

We are able to activate it to be active on every log in attempt, however this setting then says that we are going outside of Microsoft Standard security settings. And we would like it not to be happening every time.

We have tried to trigger the MFA using VPN and loging on from abroad. But still no success.

We would like to be within Microsoft standard security setting AND that MFA trigger when needed, but ideally not every login attempt (should be some time between it triggers the next time).

Rukmini 30,615 Reputation points Microsoft External Staff Moderator

2026-02-19T11:27:52.96+00:00
Hey TECHZARD! It sounds like you're having a bit of a tough time with enabling MFA (Multi-Factor Authentication) for users in Microsoft Entra External ID, especially when trying to maintain Microsoft’s default security settings. Let’s tackle this step by step!

Here's what you can try:

Check Your Security Defaults: First, confirm if Security Defaults are enabled in your tenant. Security Defaults automatically require MFA under certain conditions, but it also applies to all users whenever necessary, meaning Microsoft manages when users are prompted. You can find more about this here: Security Defaults in Microsoft Entra ID.

Conditional Access Policies: If you want more control over when MFA is triggered, you might want to create a Conditional Access policy. This allows you to specify conditions where MFA is necessary, such as specific geographical locations or risky sign-ins. Follow the guide here: Create a Conditional Access policy.

User Activity Monitoring: If MFA isn’t being triggered during your VPN logins or when logging in from abroad, monitor the user activity and ascertain whether the sign-in attempts are being marked as risky. If the attempts aren't considered risky, MFA won't prompt. You can get more insights on how Microsoft assesses risk here:

Frequency of MFA Prompts: You mentioned that you want to avoid prompting for MFA at every login. With Conditional Access, you can configure the frequency settings. This allows you to specify how often users have to go through MFA, improving user experience while maintaining security.

Testing MFA Triggers: You might want to test different scenarios (like unusual locations, using different devices) to see if those trigger MFA correctly. Make sure the sign-in logs show up in Azure AD to help diagnose what's happening.

Additional Resources

Microsoft Entra External ID Overview

Managing user accounts in Entra External ID

Follow-Up Questions:

To assist you better, could you provide more details on the following?

Are you using Conditional Access policies already, or are you strictly looking at Security Defaults?

Are there specific user roles impacted more than others?

How are you currently logging the user sign-in events, and is there any error or warning noted during these attempts?

Have you checked the conditional access sign-in logs for any insights?

Hope this helps, and let me know how it goes!

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

1 answer

Your answer

Answer 1

To activate MFA for users in Microsoft Entra External ID while still adhering to Microsoft’s standard security settings, you can utilize the built-in security defaults. Security defaults require all users to register for Microsoft Entra multifactor authentication (MFA) and will prompt users for MFA based on risk factors such as location and device. However, if you want to avoid prompting for MFA on every login attempt, you may need to adjust your settings accordingly.

Here are steps you can take:

Enable Security Defaults: Ensure that security defaults are enabled in your Microsoft Entra ID settings. This will enforce MFA registration and prompt users for MFA when necessary without requiring it on every login.
Conditional Access Policies: Consider creating Conditional Access policies that define specific conditions under which MFA is required. This allows you to set parameters such as location, device compliance, and risk level to determine when MFA should be triggered.
Monitor Sign-in Activity: Use the Conditional Access insights and reporting workbook to analyze sign-in logs and understand how MFA is impacting your users. This can help you fine-tune your policies to balance security and user experience.
Test Different Scenarios: Since you mentioned trying to trigger MFA using a VPN and logging in from abroad, ensure that your Conditional Access policies are configured to recognize these scenarios as risky. You may need to adjust the conditions under which MFA is prompted to ensure it activates under the desired circumstances.

By implementing these strategies, you can maintain compliance with Microsoft’s standard security settings while still ensuring that MFA is triggered appropriately based on risk assessments.

Share via

Entra External ID - Activate MFA for users and still use Microsoft default security settings

Here's what you can try:

Additional Resources

Follow-Up Questions:

1 answer

Your answer