External authentication method (EAM) in Entra

Supported providers

Microsoft announced at RSA Conference 2024 integration with these identity providers as launch partners:

  • Cisco
  • Entrust
  • HYPR
  • Ping
  • RSA
  • Silverfort
  • Symantec
  • Thales
  • TrustBuilder


Duo MFA, also known as Cisco Duo Multi-Factor Authentication, is a cloud-based security solution that adds an extra layer of verification to the login process. It goes beyond just a password (something you know) and requires a second factor (something you have or something you are) to confirm your identity.

Previously DUO had to be used with Custom Controls

But it had some limitations

Microsoft Entra Multi-Factor Authentication (MFA)Custom controls cannot be used to enforce MFA requirements during sign-in.
Microsoft Entra Self-Service Password Reset (SSPR)Custom controls cannot be integrated with the SSPR workflow for resetting passwords.
MFA Claim RequirementsCustom controls cannot be used to validate specific MFA claims presented in tokens.
Sign-in Frequency ControlsCustom controls cannot be used to define or enforce limitations on how often users can sign in.
Privileged Identity Manager (PIM) Role ElevationCustom controls cannot be used to control the elevation of user roles within PIM.
Intune Device EnrollmentCustom controls cannot be used as part of the device enrollment process for Microsoft Intune.
Cross-Tenant TrustsCustom controls are not supported for scenarios involving authentication across different Microsoft Entra tenant environments.
Device JoiningCustom controls cannot be used to influence the process of joining devices to Microsoft Entra.

You can find it here https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/CustomControls/fromNav/Identity

And more from Learn here

Leveraging EAMs and Conditional Access Together

While custom controls and External Authentication Providers (EAMs) serve distinct purposes, they can be implemented concurrently for enhanced security. Here’s how:

Recommended Approach:

Microsoft recommends configuring two separate Conditional Access policies:

  1. Custom Control Policy: This policy enforces the use of the custom control during sign-in.
  2. MFA Grant Policy: This policy requires Multi-Factor Authentication (MFA) using the EAM.

Deployment Strategy:

  • Utilize test groups for each policy: Assign users to one policy or the other, but not both. This ensures users only encounter one additional verification step at a time.
  • Avoid combining conditions: If a user belongs to a policy encompassing both custom control and MFA requirements, they’ll needlessly experience double verification – first through the custom control, triggering an EAM redirect, then through the EAM itself for MFA.


This approach offers a layered security strategy:

  • Custom Control Policy: Enforces additional security checks tailored to your organization’s needs.
  • MFA Grant Policy: Strengthens authentication with a second factor through the EAM.
  • Test Groups: Mitigate disruption by testing each policy on a limited user base before broader rollout.

External Authentication Methods

Microsoft Entra ID’s External Authentication Methods (EAMs) allow users to leverage existing MFA providers for multi-factor sign-in, fulfilling requirements from Conditional Access, Identity Protection, Privileged Identity Management (PIM), and even individual applications.

Behind the Scenes

When you sign in, security policies for your organization (tenant policies) are checked. These policies determine the authentication strength needed based on the specific resource you’re trying to access. Imagine these policies like access checkpoints with varying security levels.

There can be multiple checkpoints (policies) for a single sign-in, depending on factors like your user group, the application you’re using, the device you’re on, and the perceived risk of the sign-in attempt.

MFA and EAMs

If a policy requires Multi-Factor Authentication (MFA), you’ll need to provide a second layer of verification beyond your password (the first factor). This second factor should be different from your password for increased security.

Some organizations leverage External Authentication Providers (EAMs) which are integrated with Microsoft Entra by administrators. If an EAM is configured for MFA, your sign-in is considered secure after Microsoft Entra validates both:

  • Your initial login through Microsoft Entra (first factor)
  • The additional verification completed through the EAM (second factor)

This two-step process ensures a strong authentication posture for accessing sensitive resources.

EAM Integration and Sign-in Flow

This table summarizes how External Authentication Providers (EAMs) integrate with Microsoft Entra for Multi-Factor Authentication (MFA).

EAM EndpointsEAMs utilize Open ID Connect (OIDC) and require three publicly facing endpoints:
1. Discovery Endpoint (Discovers provider metadata)
2. Authentication Endpoint (Validates user)
3. Public Certificate URL (Verifies EAM identity)
User Sign-inUser attempts to access a Microsoft Entra protected application with a first factor (e.g., password).
MFA RequirementMicrosoft Entra determines additional authentication (MFA) is needed based on Conditional Access policies.
EAM SelectionUser chooses the EAM as the second factor.
Entra to EAM RedirectMicrosoft Entra redirects the browser session to the EAM URL discovered during EAM creation.
Token ExchangeEntra provides an expired/nearly expired token containing user and tenant information.
EAM ValidationEAM verifies the token source (Entra) and its contents.
Optional User Information RetrievalEAM (optional) retrieves additional user details from Microsoft Graph.
EAM AuthenticationEAM performs its own authentication (e.g., additional credential check).
Response to EntraEAM redirects the user back to Entra with a valid token containing required claims.
Entra Token ValidationEntra validates the EAM’s token signature and contents.
Policy CheckEntra checks the token against MFA and other policy requirements.
MFA Success (or Failure)If validation succeeds, the MFA requirement is met (other policies may apply).

Setup for both


Creating a demo user, just use the same UserPrincipalName than in your Entra ID

Choose Application -> Protect an application

Consent, consent!

And it creates an Enterprise application to Entra

And just hit copy, Cisco and Microsoft really made this easy for you, excellent!

Entra ID

Open Add external method from here https://entra.microsoft.com/#view/Microsoft_AAD_AuthenticationMethods/ExternalAuthAddNewMethod.ReactView

Paste the copies values

Once you hit the Request permissions, there is a bug and you have to hit Save, close the menu and open it again, then you will see consent approved.

Consent, consent!

Then you just turn it on and see the magic happen!

Choose can’t use my authenticator, not the final state but in Preview like this (I hope)

Choose your favorite EAM

You will be redirected!

No, will skip for now.

And you can also choose Push or Bypass code (which is found in your DUO app)

This code …

Goes here in your own DUO mobile app

And success!

And the familiar Stay signed in (If not disabled!)

And you can check the logs from DUO admin portal

And you can see the user creation from DUO log and the logins

See here for the documentation from DUO


Beautiful solution and design from both parties, rarely you see this smooth interactions with two different providers. Excellent feature and execution, Microsoft and Cisco!

If you use those supported providers, you can try it out today. If you just want to geek yourself, you can get DUO trial from here https://signup.duo.com

Author: Harri Jaakkonen