Microsoft Entra External Authentication Is Now Generally Available!

-



There’s a moment every identity engineer knows too well: you’re designing an access flow, everything looks clean on paper, and then someone says the words that derail the whole architecture—“We need to use our existing MFA provider.” Historically, that sentence meant pain. You either duct‑taped Custom Controls into Conditional Access, built brittle redirects, or told the business “no” and hoped they forgot. Finally, that tailspin is over.

Microsoft has rolled out a new capability in Entra that changes the external authentication story entirely. Instead of relying on proprietary hooks or deprecated features, Entra now supports standards‑based external authentication using OpenID Connect. In plain English: you can plug in a third‑party identity or MFA provider, and Entra treats it like its own.

Why This Matters More Than You Think

Identity teams have been asking for this for years, and not because they enjoy wiring up extra systems. The real world is messy. Organizations merge. Universities collaborate. Vendors bring their own identity stacks. Security teams standardize on MFA platforms that aren’t Microsoft. Until now, Entra’s answer was basically “use what we give you.”

External authentication changes that dynamic.

You can now:

  • Redirect users to a third‑party IdP during sign‑in
  • Enforce Conditional Access using an external MFA provider
  • Build authentication strengths that include non‑Microsoft factors
  • Integrate national, sector‑specific, or custom identity systems
  • Replace Custom Controls with something that won’t disappear in six months

And because it’s all OIDC under the hood, you’re not locked into a vendor list. If the provider speaks the protocol correctly, Entra will accept it.

How It Works

At the heart of this feature is a simple concept: Entra expects a standards‑compliant OIDC provider. That means your external IdP must expose:

  • A discovery document
  • Authorization and token endpoints
  • A JWKS endpoint with stable signing keys
  • ID tokens with valid issuer, audience, and signature

Once you register that provider in Entra, you can bind it to Conditional Access. From there, the flow becomes seamless: user signs in -> Entra redirects to your IdP -> user authenticates -> Entra validates the token -> access granted.

No hacks. No custom XML. No hoping it doesn't break somehow.

Where This Fits in the Identity Landscape

This feature lands at a perfect moment. Organizations are moving toward:

  • Zero Trust architectures
  • Multi‑IdP ecosystems
  • Stronger MFA requirements
  • Decentralized identity models
  • Sector‑specific authentication (education, healthcare, government)

Entra’s new external authentication capability gives identity teams the flexibility they’ve been missing. It also opens the door for scenarios that were previously painful or impossible—like integrating a custom OIDC provider you built or another provider that you must use for any number of reasons.

The Bottom Line

Microsoft finally delivered a clean, standards‑based way to integrate external identity and MFA providers into Entra. It’s flexible, future‑proof, and—most importantly—built on open protocols.

This is one of those features that unlocks a lot of possibilities. Whether you’re running a building apps, incorporating multiple IdP's from within your environment, or just trying to clean up your Conditional Access policies, external authentication is going to make your life easier.

Until next week folks!


Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more