Product Documentation
Start typing to search…

Microsoft Entra Tenant Configuration

Overview

This guide describes how to configure authID as an External Authentication Method (EAM) in Microsoft Entra ID so it can be used as a biometric second factor during MFA challenges.

This configuration is performed entirely in Microsoft Entra and assumes an existing authID OIDC connection has already been created.

Prerequisites

  • Microsoft Entra ID tenant
  • Global Administrator or Authentication Policy Administrator role
  • An existing authID OIDC integration
  • authID OIDC metadata endpoint (standard, fixed OIDC path should go here)
  • Client ID issued by authID

Steps

Step 1: Enable External Authentication Methods

  1. Sign in to Microsoft Entra admin center
  2. Navigate to: Protection > Authentication methods > External authentication methods
  3. Set Enable external authentication methods to On
  4. Save changes
📘

Note:

External Authentication Methods are currently in Preview and must be explicitly enabled per tenant.

Step 2: Register authID as an External Authentication Provider

In External authentication methods, select Add

Provide the following values:

Field Value Name authID OIDC client ID Client ID from authID Issuer authID issuer URL Discovery endpoint authID (standard, fixed OIDC path should go here)

Step 3: Configure Claims and MFA Expectations

Microsoft Entra validates the following in the MFA response:

  • acr must match the value sent in the request
  • amr must contain supported authentication method references
  • The returned ID token must be signed by the configured issuer

No additional claim mapping is required.

Step 4: Assign authID to Users

  1. Navigate to: Protection > Authentication methods > External authentication methods
  2. Select authID
  3. Assign users or groups
  4. Save changes
📘

Note:

Only assigned users will see authID as an available MFA method.

Step 5: Require authID via Conditional Access (Optional)

To enforce authID as an MFA method:

  1. Go to: Protection > Conditional Access
  2. Create or edit a policy
  3. Under Grant, select: Require multi-factor authentication
  4. Apply the policy to the desired users and applications

Step 6: User Experience Validation

If authID is already enabled

  • User is redirected to authID during MFA
  • Successful biometric verification completes sign-in

If authID is not enabled

  1. User navigates to Security Info
  2. Select Add sign-in method
  3. Choose External Authentication Methods
  4. Select authID
  5. Complete enrollment (if required)

User Experience: Adding authID as a Sign-in Method

WIP



📘

Notes and Limitations

  • External Authentication Methods are MFA-only
  • Primary authentication remains managed by Microsoft Entra
  • Token expiration in id_token_hint is ignored by design
  • Microsoft may cache OIDC metadata; allow time for updates

Updated 8 days ago