แก้ไข

แชร์ผ่าน


Native authentication challenge types

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

Native authentication supports two authentication methods:

  • Email with one-time passcode (OTP).
  • Email and password with support for self-service password reset (SSPR).

A customer app that uses native authentication to sign in users can use either of the authentication methods. To make successful calls to Microsoft Entra, the app needs to indicate the authentication methods it supports. Microsoft Entra enables the customer app to advertise the authentication methods it supports by using challenge types.

Challenge types are predefined values, which the customer app includes in its request to notify Microsoft Entra about the authentication method the app supports.

Challenge types

The following table contains the supported challenge type values:

Challenge type Description
password This challenge type indicates that the app supports the collection of a password credential from the user.
oob This challenge type indicates that the application supports the use of one-time password or passcode (OTP) codes sent to the user using a secondary channel. Currently, the API supports only email OTP.
redirect This challenge type indicates that the application supports a fallback to the browser-delegated authentication, also known as web fallback. All native authentication compliant apps must support this authentication method. This requirement means that in every call the app makes to Microsoft Entra, it must include this challenge type. If the client app fails to include this challenge type, the request fails.

We add new values in the future when native authentication support new authentication methods.

Challenge types usage

The following table summarizes the challenge type values an app should use for the various authentication flows:

Sign-up flow Sign-in flow SSPR
Email with password oob, password, and redirect oob, password, and redirect oob and redirect
Email OTP oob and redirect oob and redirect Not applicable
  • Apps that use native authentication API must include the redirect challenge type in the list when they indicate the challenge type that they support.
  • Apps that use Android and iOS SDKs don't need to include the redirect challenge type as the SDK automatically includes it.

The following table summarizes what happens if either Microsoft Entra or the client app doesn't support a given challenge type:

Scenario What happens
A client app includes unsupported challenge type Microsoft Entra returns an error as it treats this request as invalid.
A client app fails to include a supported challenge type It indicates that the client app doesn't support a challenge type that the administrator configures in the Microsoft Entra admin center. In this case, Microsoft Entra notifies the client app to use web fallback.