Microsoft's External MFA Changes the IAM Equation
With External Authentication Methods now generally available, organizations running on E5 can integrate a third-party MFA provider and keep every Conditional Access feature they've already built. That changes the calculus for how you buy identity tools.
The choice that no longer has to be a choice
For years, organizations have faced a structural trade-off in identity and access management. On one side: Microsoft Authenticator and Entra ID, tightly woven into the Microsoft 365 ecosystem and backed by Conditional Access policies that govern who gets in, from where, and under what conditions. On the other: third-party MFA providers like Cisco Duo, Ping Identity, and RSA — mature, cross-platform, and often already embedded in environments that predate an organization's Microsoft investment. Choosing one meant compromising the other.
Microsoft tried to bridge the gap in 2020 with Custom Controls, a mechanism that let Conditional Access policies hand off authentication to a third-party provider. But Custom Controls ran on a parallel track. They didn't connect to the standard "Require MFA" grant control, which meant policies had to be written and maintained differently depending on which MFA method was in play. It was a workaround, not integration.
The result: companies running two conditional access frameworks side by side — one for Microsoft-native MFA, one for everything else — with all the policy drift, audit complexity, and operational overhead that entails.
"The core problem was that third-party MFA and Microsoft Conditional Access were parallel systems. EAM makes them one system."
What changed on March 24, 2026
External Authentication Methods (EAM) reached general availability. Unlike Custom Controls, EAM is built on OpenID Connect — the same protocol that underpins modern identity federation. The flow works like this: Entra ID evaluates a Conditional Access policy and determines that MFA is required. Instead of routing to Microsoft Authenticator, it redirects the user to a third-party provider via OIDC. The provider authenticates the user, returns a signed token, and Entra validates it. The MFA requirement is satisfied the same way it would be with Microsoft Authenticator. No special policy. No parallel track.
What EAM unlocks with a third-party MFA
Require MFA grant
Third-party MFA now fully satisfies the standard Conditional Access grant. Policies don't need to be rewritten.
PIM activation
Privileged Identity Management role activations now accept external MFA methods.
Identity Protection
Risk-based policies that trigger MFA on suspicious sign-in risk can route through an external provider.
Sign-in frequency
Session controls and reauthentication intervals work alongside external MFA.
Supported vendors
Cisco Duo, Ping Identity, RSA, WatchGuard AuthPoint, and others. The model is open.
What this means for E5 and Microsoft-heavy shops
E5 already includes Entra ID P2, which means Conditional Access, Identity Protection, and Privileged Identity Management are part of the license you're already paying for. EAM doesn't change what E5 includes. What it changes is how much of that investment you can leverage while still using a third-party MFA provider.
EAM separates the policy framework from the MFA method. Before, if you wanted third-party MFA to participate fully in Conditional Access — including risk-based triggers, PIM activation, and sign-in frequency controls — you couldn't. Custom Controls gave you a partial bridge, but it was always a second-class integration. Now the method is decoupled from the engine.
Before EAM, the argument for full IAM platforms from vendors like Okta or Ping was partly about feature parity. You needed their policy engine because Microsoft's wouldn't work with their MFA. That argument weakens when Microsoft's policy engine works natively with third-party credentials. It doesn't eliminate the case for those platforms entirely — there are legitimate reasons to centralize identity management outside of Microsoft — but it removes one of the strongest forcing functions.
Now organizations can right-size: use a third-party provider as the credential and authentication layer, and Entra ID as the policy engine. Whether that translates to actual cost reduction depends on existing contracts, deployment complexity, and whether you need capabilities that sit outside of what EAM covers. But the option is now real in a way it wasn't before.
What EAM still does not cover
Coverage gaps, confirmed at GA
Windows device login
EAM covers cloud-based Entra ID sign-ins only, not the Windows login screen. Duo's Windows Logon credential provider is a separate product that addresses this gap independently.
Authentication Strengths
This is the most important limitation. EAM does not satisfy Authentication Strengths policies — only the standard Require MFA grant. If you've built policies around Authentication Strengths (phishing-resistant MFA, for example), external methods won't satisfy them. Microsoft's documentation confirms this explicitly.
On-premises and hybrid
EAM operates at the Entra ID layer only. WatchGuard's documentation explicitly notes no coverage for on-prem Active Directory, LDAP, or AD FS scenarios.
System-preferred MFA
System-preferred MFA does not apply to external methods. Users must manually select the external provider from the sign-in options.
Outcomes for security and IT teams
If you're on E5 with Microsoft Authenticator only
Fill coverage gaps without replacing CA investment
If Microsoft Authenticator doesn't cover all your use cases — legacy apps, cross-platform endpoints, specific compliance requirements — you can now add a third-party MFA layer without sacrificing Conditional Access integration.
Authentication Strengths compatibility
If you've adopted Authentication Strengths policies for phishing-resistant MFA, external methods won't satisfy them. Audit your policies before assuming EAM is a drop-in addition.
If you're running a third-party IAM platform alongside Microsoft
Migrate off Custom Controls before September 2026
Custom Controls are on a deprecation path. EAM is the replacement. If you're using Duo, the migration documentation is already available. Plan this migration now, not when the deadline arrives.
Whether you need the full platform or just the MFA layer
EAM lets you use Entra as the policy engine and a third party as the MFA provider. If the main reason you're paying for a full IAM platform is MFA integration with Conditional Access, that reason just got weaker.
If you're evaluating IAM vendors now
What you're actually buying the platform for
If it's MFA that works with Conditional Access, EAM may eliminate that requirement. If it's lifecycle management, governance, or non-Microsoft application SSO, those are separate conversations that EAM doesn't address.
Windows login requirements before finalizing stack
EAM doesn't cover Windows device login. If your security posture requires MFA at the device level, you'll still need a separate credential provider. Factor that into your vendor evaluation and total cost.
The bottom line
EAM removes the structural choice between Conditional Access and third-party MFA. For the first time, organizations can use Microsoft's policy engine — the one they're already paying for with E5 — and plug in whatever MFA provider fits their environment. That's not a minor configuration change. It's a shift in how the identity market works.
For E5 customers, the cost of adding a third-party MFA layer drops. You no longer need a competing policy engine just to use a competing authenticator. The MFA provider becomes a component, not a platform commitment. That changes vendor leverage and contract negotiations in a meaningful way.
Gaps remain, and they matter. Windows device login is out of scope. Authentication Strengths — Microsoft's framework for phishing-resistant MFA — doesn't recognize external methods. On-prem and hybrid scenarios aren't covered. These aren't edge cases for most enterprises; they're core requirements. Any deployment plan needs to account for them explicitly.
The direction, though, is clear. Microsoft is building the identity policy plane that third parties plug into, rather than competing with them at every layer. If you're renewing an IAM contract in the next 12 months and you're on E5, model what EAM changes before you sign. The math may be different now.
Related
- Okta — Vendor Profile
- CyberArk — Vendor Profile
- Ping Identity — Vendor Profile
- Yubico — Vendor Profile
- Microsoft Sentinel Cost Analysis
Hard to keep up with. Easy to get wrong.
The IAM market moves fast. We track this so you don't have to. We factor the real constraints into every recommendation we make, including the ones vendors won't lead with. No consulting fee. We earn on competitive pricing when you buy.
Start a ConversationSources
- Microsoft: External MFA GA announcement — techcommunity.microsoft.com
- Microsoft Learn: External MFA Method Provider Reference — learn.microsoft.com
- Microsoft Learn: Custom Controls deprecation — learn.microsoft.com
- Cisco Duo: EAM integration docs — duo.com
- Cisco Duo: Windows Logon & RDP — duo.com
- WatchGuard: AuthPoint EAM docs — watchguard.com
Written by Adrian Tilston, CEO, Charting Cyber