| title | description | author | manager | ms.service | ms.subservice | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|
Add multifactor authentication (MFA) to a customer app |
Learn how to add multifactor authentication (MFA) to your consumer and business customer (CIAM) application. For example, add email one-time passcode as a second authentication factor to your CIAM sign-up and sign-in user flows. |
msmimart |
celestedg |
entra-external-id |
customers |
how-to |
05/09/2024 |
mimart |
it-pro |
[!INCLUDE applies-to-external-only]
Multifactor authentication (MFA) adds a layer of security to your applications. With MFA, customers who sign in with a username and password are prompted for a one-time passcode as a second verification method. This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow. In a Microsoft Entra External ID external tenant, you can add a layer of security to your consumer- and business customer-facing applications by enforcing multifactor authentication (MFA). With MFA, each time a user signs in, they're required to provide an email one-time passcode. This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.
Important
If you want to enable MFA, set your local account authentication method to Email with password. If you set your local account option to Email with one-time passcode, customers who use this method won't be able to sign in because the one-time passcode is already their first-factor sign-in method and can't be used as a second factor. Currently, one-time passcode is the only method available for MFA in external tenants.
Tip
To try out this feature, go to the Woodgrove Groceries demo and start the “Multi-factor authentication” use case.
- A Microsoft Entra external tenant (if you don't have a tenant, you can start a free trial.
- A sign-up and sign-in user flow with the local account authentication method set to Email with password.
- An app that's registered in your external tenant, added to the sign-up and sign-in user flow, and updated to point to the user flow for authentication.
- An account with at least the Security Administrator role to configure Conditional Access policies and MFA.
Create a Conditional Access policy in your external tenant that prompts users for MFA when they sign up or sign in to your app. (For more information, see Common Conditional Access policy: Require MFA for all users).
-
Sign in to the Microsoft Entra admin center as at least a Security Administrator.
-
If you have access to multiple tenants, use the Settings icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to your external tenant from the Directories + subscriptions menu.
-
Browse to Identity > Protection > Security Center.
-
Select Conditional Access > Policies, and then select New policy.
:::image type="content" source="media/how-to-multifactor-authentication-customers/new-policy.png" alt-text="Screenshot of the new policy button." lightbox="media/how-to-multifactor-authentication-customers/new-policy.png":::
-
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select the link under Users.
a. On the Include tab, select All users.
b. On the Exclude tab, select Users and groups and choose your organization's emergency access or break-glass accounts.
:::image type="content" source="media/how-to-multifactor-authentication-customers/new-policy-users.png" alt-text="Screenshot of assigning users to the new policy." lightbox="media/how-to-multifactor-authentication-customers/new-policy-users.png":::
-
Select the link under Cloud apps or actions.
a. On the Include tab, choose one of the following options:
-
Choose All cloud apps.
-
Choose Select apps and select the link under Select. Find your app, select it, and then choose Select.
b. Under Exclude, select any applications that don't require multifactor authentication.
:::image type="content" source="media/how-to-multifactor-authentication-customers/new-policy-apps.png" alt-text="Screenshot of assigning apps to the new policy." lightbox="media/how-to-multifactor-authentication-customers/new-policy-apps.png":::
-
-
Under Access controls select the link under Grant. Select Grant access, select Require multifactor authentication, and then choose Select.
:::image type="content" source="media/how-to-multifactor-authentication-customers/new-policy-grant-require-mfa.png" alt-text="Screenshot of requiring MFA." lightbox="media/how-to-multifactor-authentication-customers/new-policy-grant-require-mfa.png":::
-
Confirm your settings and set Enable policy to On.
-
Select Create to create to enable your policy.
Enable the email one-time passcode authentication method in your external tenant for all users.
-
Sign in to the Microsoft Entra admin center as at least a Security Administrator.
-
Browse to Identity > Protection > Authentication methods.
-
In the Method list, select Email OTP.
:::image type="content" source="media/how-to-multifactor-authentication-customers/auth-methods-eotp.png" alt-text="Screenshot of the email one-time passcode option." lightbox="media/how-to-multifactor-authentication-customers/auth-methods-eotp.png":::
-
Under Enable and Target, turn the Enable toggle on.
-
Under Include, next to Target, select All users.
:::image type="content" source="media/how-to-multifactor-authentication-customers/enable-eotp.png" alt-text="Screenshot of enabling email one-time passcode." lightbox="media/how-to-multifactor-authentication-customers/enable-eotp.png":::
-
Select Save.
In a private browser, open your application and select Sign-in. You should be prompted for another authentication method.