Microsoft Entra ID: Retirement of Custom Controls in Conditional Access and migration to External MFA

🚨 The Signal: Microsoft Entra ID is replacing Conditional Access Custom Controls with External MFA for third-party MFA. This standardises integration, improving security and supportability for organisations using non-Microsoft MFA solutions.

The Impact

Organisations using Custom Controls for third-party MFA face a mandatory migration to External MFA, improving authentication security.

  • Security Teams: Must plan and execute migration of Conditional Access policies.
  • Entra ID Admins: Will reconfigure Conditional Access policies to use External MFA.
  • Third-party MFA users: Experience a more standardised and secure authentication flow.
  • Organisations: Benefit from improved long-term support and interoperability.

The Action

  1. Identify Conditional Access policies currently using Custom Controls.
  2. Review documentation for migrating Custom Controls to External MFA.
  3. Configure External MFA as an authentication strength in Microsoft Entra ID.
  4. Update Conditional Access policies to leverage External MFA for third-party MFA providers.
  5. Test updated Conditional Access policies thoroughly before full deployment.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907