Microsoft Entra ID Adds External MFA Support, Expanding Third‑Party Identity Provider Integration
What Happened — Microsoft has released external multi‑factor authentication (MFA) for Entra ID, allowing organizations to integrate third‑party MFA providers via OpenID Connect. The feature is generally available and will replace the legacy Custom Controls by September 30 2026.
Why It Matters for TPRM —
- Enables vendors to meet specific regulatory MFA requirements without abandoning Microsoft’s Conditional Access framework.
- Introduces a new integration point that must be assessed for security posture, data handling, and contractual obligations.
Who Is Affected — Enterprises using Microsoft Entra ID (Azure AD) across any industry; especially those with existing MFA vendor contracts or undergoing M&A integration.
Recommended Actions — Review current MFA architecture, evaluate third‑party MFA providers for compliance, update Conditional Access policies, and plan migration from Custom Controls before the deprecation deadline.
Technical Notes — External MFA leverages OpenID Connect (OIDC) to call the chosen provider; administrators must grant consent for the provider to read user attributes. No new CVEs are disclosed, but the integration surface expands the attack surface for credential‑related threats. Source: https://www.helpnetsecurity.com/2026/03/25/microsoft-entra-id-external-mfa/