Add multifactor authentication (MFA) to a customer-facing app

Multifactor authentication (MFA) adds a layer of security to your customer-facing applications. With MFA, customers who sign in with a username and password are prompted for a one-time passcode as a second verification method. This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Multi-factor authentication” use case.

Prerequisites

  • A Microsoft Entra customer tenant (if you don't have a tenant, you can start a free trial.
  • A sign-up and sign-in user flow.
  • An app that's registered in your customer tenant, added to the sign-up and sign-in user flow, and updated to point to the user flow for authentication.
  • An account with Conditional Access Administrator, Security Administrator, or Global Administrator privileges to configure Conditional Access policies and MFA.

Note

If you want to enable MFA, set your local account authentication method to Email with password. If you set your local account option to Email with one-time passcode, customers who use this method won't be able to sign in because the one-time passcode is already their first-factor sign-in method and can't be used as a second factor. Currently, one-time passcode is the only method available for MFA in customer tenants.

Create a Conditional Access policy

Create a Conditional Access policy in your customer tenant that prompts users for MFA when they sign up or sign in to your app. (For more information, see Common Conditional Access policy: Require MFA for all users).

  1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator, Security Administrator, or Global Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Protection > Security Center.

  4. Select Conditional Access > Policies, and then select New policy.

    Screenshot of the new policy button.

  5. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  6. Under Assignments, select the link under Users.

    a. On the Include tab, select All users.

    b. On the Exclude tab, select Users and groups and choose your organization's emergency access or break-glass accounts.

    Screenshot of assigning users to the new policy.

  7. Select the link under Cloud apps or actions.

    a. On the Include tab, choose one of the following options:

    • Choose All cloud apps.

    • Choose Select apps and select the link under Select. Find your app, select it, and then choose Select.

    b. Under Exclude, select any applications that don't require multifactor authentication.

    Screenshot of assigning apps to the new policy.

  8. Under Access controls select the link under Grant. Select Grant access, select Require multifactor authentication, and then choose Select.

    Screenshot of requiring MFA.

  9. Confirm your settings and set Enable policy to On.

  10. Select Create to create to enable your policy.

Enable email one-time passcode as an MFA method

Enable the email one-time passcode authentication method in your customer tenant for all users.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Protection > Authentication methods.

  3. In the Method list, select Email OTP.

    Screenshot of the email one-time passcode option.

  4. Under Enable and Target, turn the Enable toggle on.

  5. Under Include, next to Target, select All users.

    Screenshot of enabling email one-time passcode.

  6. Select Save.

Test the sign-in

In a private browser, open your application and select Sign-in. You should be prompted for another authentication method.