Edit

Add multifactor authentication (MFA) to an app

  • Article

In a Microsoft Entra External ID external tenant, you can add a layer of security to your consumer- and business customer-facing applications by enforcing multifactor authentication (MFA). With MFA, each time a user signs in, they're required to provide an email one-time passcode. This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.

Important

If you want to enable MFA, set your local account authentication method to Email with password. If you set your local account option to Email with one-time passcode, customers who use this method won't be able to sign in because the one-time passcode is already their first-factor sign-in method and can't be used as a second factor. Currently, one-time passcode is the only method available for MFA in external tenants.

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Multi-factor authentication” use case.

Prerequisites

  • A Microsoft Entra external tenant (if you don't have a tenant, you can start a free trial.
  • A sign-up and sign-in user flow with the local account authentication method set to Email with password.
  • An app that's registered in your external tenant, added to the sign-up and sign-in user flow, and updated to point to the user flow for authentication.
  • An account with at least the Security Administrator role to configure Conditional Access policies and MFA.

Create a Conditional Access policy

Create a Conditional Access policy in your external tenant that prompts users for MFA when they sign up or sign in to your app. (For more information, see Common Conditional Access policy: Require MFA for all users).

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Protection > Security Center.

  4. Select Conditional Access > Policies, and then select New policy.

    Screenshot of the new policy button.

  5. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  6. Under Assignments, select the link under Users.

    a. On the Include tab, select All users.

    b. On the Exclude tab, select Users and groups and choose your organization's emergency access or break-glass accounts.

    Screenshot of assigning users to the new policy.

  7. Select the link under Cloud apps or actions.

    a. On the Include tab, choose one of the following options:

    • Choose All cloud apps.

    • Choose Select apps and select the link under Select. Find your app, select it, and then choose Select.

    b. Under Exclude, select any applications that don't require multifactor authentication.

    Screenshot of assigning apps to the new policy.

  8. Under Access controls select the link under Grant. Select Grant access, select Require multifactor authentication, and then choose Select.

    Screenshot of requiring MFA.

  9. Confirm your settings and set Enable policy to On.

  10. Select Create to create to enable your policy.

Enable email one-time passcode as an MFA method

Enable the email one-time passcode authentication method in your external tenant for all users.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Protection > Authentication methods.

  3. In the Method list, select Email OTP.

    Screenshot of the email one-time passcode option.

  4. Under Enable and Target, turn the Enable toggle on.

  5. Under Include, next to Target, select All users.

    Screenshot of enabling email one-time passcode.

  6. Select Save.

Test the sign-in

In a private browser, open your application and select Sign-in. You should be prompted for another authentication method.