After 4 years since Microsoft’s original notification that a new solution for external identity providers would be released, enabling them to integrate into Conditional Access, Microsoft has announced External Authentication methods for Microsoft Entra ID!
This new solution brings a huge range of benefits to third-party identity providers and the organisations that use them to integrate more directly into Microsoft backbone identity systems.
In this article, I will explain what the new External Authentication methods feature is, how it works and why it will be beneficial for organisations.
Page Contents
What are external authentication methods in Microsoft Entra ID?
External authentication methods in Microsoft Entra enable an external authentication provider to integrate (or connect) directly to Microsoft Entra multifactor authentication. By then integrating directly with Microsoft Entra ID in a specific tenant, the external authentication methods (EAM) can be used to satisfy the requirement for MFA, through Conditional Access, to certain resources or applications.
Prior to external authentication methods, external authentication providers would have had to use the Custom Controls feature of Conditional Access. While this could be used to redirect a users sign-in to the external providers challenge page, it would not satisfy the MFA requirement in Microsoft Entra and hence the MFA grant control within Conditional Access could not be enabled. In this instance, not MFA claim would be issued in the access token and many security related functions in Conditional Access could not be utilised.
Why do you need external authentication methods?
A scenario I like to talk about is from the Managed Service Providers (MSP) perspective. A lot of MSPs utilise a third-party authentication providers (such as Cisco’s Duo) to supply a consistent MFA experience for their clients across systems such as workstations, servers, VPNs and Microsoft Entra. However, when this is deployed in the context of Microsoft Entra, while it might serve up some additional ‘perceived’ security, in a modern world, that is not completely the case.
If we look at traditional attack tactics, such as credential phishing, an attacker may use compromised credentials to attempt to sign in to Microsoft Entra as that user. Conditional Access, whether requiring MFA or custom controls would prevent this successfully.
However, attacker methodologies are rapidly evolving and no longer is it enough to just defend against traditional credential-based attacks. Adversary-in-the-middle (AitM) phishing attacks are seeing increased use in the wild, this is where attackers attempt to steal access tokens instead of passwords. In this scenario, custom controls do not suffice.
This is where Conditional Access comes in, by ensuring external authentication methods can satisfy MFA requirements in Conditional Access, administrators can enforce stronger controls such as sign-in frequency and other token protection mechanisms. These MFA claims, delivered through external providers could also be used to satisfy PIM role activation, risk-based policies and Intune device registration.
Supported providers for external authentication methods
A handful of providers (as announced by Microsoft) will soon be supported with direct integration as an external authentication method in Microsoft Entra ID, these include:
- Cisco Duo
- Entrust Identity as a service
- HYPR Authenticate
- Ping Identity
- RSA
- Silverfort advanced MFA
- Symantec VIP
- Thales STA
- TrustBuilder MFA
For provider specific implementation guidance, follow the documentation on the providers website.
Migrate from custom controls to External Authentication Methods
Naturally, you will want to explore migrating from any existing custom controls that are in place to the new external authentication methods feature. Providing you are utilising one of the supported external authentication methods providers (and not developing your own solution) this should be a simple transition.
From the Microsoft Entra perspective, it is recommended that you create a parallel (side-by-side) Conditional Access policy which targets the same authentication provider, set as an external authentication method. As the policies can run side-by-side, you can first test the new policy on a subset of users, before targeting it to the rest of your users, while excluding them from the custom control policy.
Create a new external authentication method
To start, you must first create a new external authentication method, to do this, follow the steps below:
1. Sign in to the Microsoft Entra as at least a Privileged Role Administrator, or a Global Administrator.
2. Expand Protection, then select Authentication methods > Add external method.
3. Define the name of your authentication method as it should appear in the admin portal and to your end users. Also, define the following information as given by your provider:
- Client ID: The external identity provider’s client ID for Microsoft Entra ID.
- Discovery Endpoint: This endpoint is used to get more configuration data. The full URL, including .well-known/oidc-configuration, must be included in the Discovery URL configured when the EAM is created
- App ID: This is generally a multitenant Entra application from the external identity provider which is used as part of the integration. You will need to provide admin consent for this application.
When you have entered this information, press the Request permission button to grant admin consent from the provider’s multi-tenant application. This is so the provider can read the user information and correctly authenticate the user during login.
4. Lastly, click Enable and ensure you target the EAM to the correct set of users.
Depending on the external authentication provider, the registration experience and expectations for end users may differ. I recommend you refer to the specific vendor documentation and follow through with their recommended registration experience for end users.
Create a new external authentication method with Microsoft Graph PowerShell
To enable the features right away and create a new external authentication method using Microsoft Graph PowerShell, use the following example and modify the:
- displayName
- appId
- clientId
- discoveryUrl
For assistance with installing the Microsoft Graph PowerShell modules, check out my article here.
Connect-MgGraph -Scopes Policy.ReadWrite.AuthenticationMethod
$body = @{
"@odata.type" = "#microsoft.graph.externalAuthenticationMethodConfiguration"
displayName = "Test"
state = "enabled"
appId = "1234"
openIdConnectSetting = @{
clientId = "1234"
discoveryUrl = "http://ourcloudnetwork.com/.well-known/openid-configuration"
}
includeTarget = @{
targetType = "group"
id = "all_users"
}
}
Invoke-MgGraphRequest `
-Method POST `
-Uri "beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations" `
-Body $body