Table of Contents
Advancing MFA with Entra ID Authentication Backed by Nine ISVs
Earlier this year, Microsoft reported that the percentage of Entra ID accounts using multifactor authentication had reached 38%. That figure isn’t very impressive, but at least it represents a twelve-point increase since 2022. I guess some haven’t yet read the memo explaining that multifactor authentication is still the best way to avoid account compromise (something Microsoft discovered for themselves with the Midnight Blizzard affair).
To be fair to Microsoft, they continue to push the boundaries to make multifactor authentication easier and more secure to use, notably in the recent announcement of preview support for device-bound passkeys in the Authenticator app. However, I’m not sure that phishing-resident passkeys will be the thing that forces the decision in many companies. Just getting people to use normal challenge-response with the Authenticator app would be a great step forward.
Leveraging Third-Party Authentication Solutions
Which brings me to the May 2 announcement about Entra ID’s support for external authentication methods. This public preview demonstrates how to integrate and use third-party multifactor authentication solutions with Entra ID by defining the solutions as valid authentication methods, just like the out-of-the-box methods like SMS (which shouldn’t be used now) and the Authenticator app (Figure 1). The preview is due for availability in mid-May. This initiative replaces the previous custom control solution, which never left preview.
Entra ID is quite capable of handling multifactor authentication and many Microsoft 365 tenants have bought fully into the Entra ID stack and have no need for third-party enhancements. But equally so, it’s common to find that large organizations select a multifactor authentication solution for use across multiple platforms, multiple applications, and multiple clients. In these scenarios, it makes sense for Entra ID to be able to hand off a connection to a third-party solution to perform the multifactor challenge and response before returning a response for Entra ID to verify and accept.
Microsoft points out that the integration between Entra ID and the third-party authenticators uses industry standards and are managed in the same way as native Entra ID authentication methods. Entra ID handles multifactor authentication through conditional access policies, which dictate when connections must satisfy multifactor authentication. Conditional access policies can insist on a certain strength of authentication (like phishing-proof), but it’s usually sufficient for a connection to satisfy an authentication method to proceed.
Because Entra ID and third-party authentication methods indicate if a connection satisfies a multifactor challenge, it means that Entra solutions like Privileged Identity Management (PIM) respond to authentication in the same way. The result is that companies can leverage their investment in third-party authentication solutions alongside Entra ID, which is the best of both worlds.
Nine ISVs to Support Entra ID Authentication
Microsoft’s announcement details support for nine third-party authentication solutions including:
- Cisco Duo
- Entrust Identity
- HYPR Authenticate
- Ping Identity
- RSA
- Silverfort advanced MFA
- Symantec VIP
- Thales STA
- TrustBuilder MFA
It’s a good lineup and more solutions are likely to be added. Microsoft documentation is available for ISVs to know how to connect their solutions to Entra ID by defining an authentication method.
Increasing the MFA Percentage
I’m looking forward to seeing how many Microsoft 365 tenants integrate third-party authentication solutions with Entra ID. The logic behind leveraging what’s already deployed is inescapable. All that’s needed now is implementation, where it makes sense (of course).
One more comment. Adding authentication methods to Entra ID expands the capability to handle inbound connections more thoroughly. It does nothing to manage the number of accounts configured with authentication methods, the conditional policies to enforce multifactor authentication, or the reporting of who uses multifactor authentication. In other words, a shiny new authentication method is nice, but it does nothing to drive that MFA percentage higher. That takes more effort, persistence, and (often) executive buy in.
Make sure that you’re not surprised about changes that appear inside Entra ID or the Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.