Skip to main content

Configure XFA on Microsoft Entra ID with an External Authentication Method (EAM)

License requirements

To use External Authentication Methods, you need Entra P1 or P2 licenses for all your users (available standalone or included in Microsoft 365 Business premium and up).

Note: This guide assumes that you have an account set up with XFA for your organization and you're an admin for that organization on both XFA and a privileged role administrator on Entra ID. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.

To make sure that every device in your organization is secure, XFA can be configured on Entra ID to verify each device as part of the authentication of all applications connected to Entra ID. This guide will walk you through the steps to configure XFA as an External Authentication Method (EAM) and enforce it's usage.

Create an integration in XFA Dashboard

After logging in to the XFA Dashboard, navigate to the Enforcement page, click on New and select Microsoft as the integration type. You'll receive the following information:

  • Client ID
  • Discovery URL
  • App ID

Keep this information handy as you'll need it in the next step.

Create an External Authentication Method in Entra ID

In Entra ID, navigate to Security > Authentication Methods and click on Add external method (Preview).

Name the method 'XFA' and fill in the Client ID, Discovery URL, and App ID that you received from the XFA Dashboard in the previous step. You'll need to click the Request permissions button to grant the necessary permissions to XFA.

You can now enable the external authentication method for all users in your organization to make it available as an MFA option before you save the external authentication method.

Next steps

XFA can now be used by all users, configured in the previous step, to complete the MFA process when logging in to an application connected to Entra ID. To make sure XFA is always used, you have the following options:

Remove other authentication methods

You can gradually turn off the other authentication methods (both new and legacy) for specific user groups to make sure that XFA is the only method available for users to authenticate, enforcing the device security check.

This can be done in the Security > Authentication Methods section in Entra ID.

note

Won't I lose my 2FA identity verification?
As XFA will completely replace the other authentication methods, we provide 'silent MFA', which allows you to verify your identity through known devices which you've explicitly trusted with XFA. In this way your device act as a second factor. Read our documentation about silent MFA for more information.

Entra ID settings that might interfere with your XFA roll-out
  1. Default sign-in method configured in Entra ID

In Entra ID, every user can have a default sign-in method configured under Users > (user) > Manage > Authentication Methods. Which will by default be the first method that the user registers. Make sure that when disabling a method by groups that the default sign-in method is not set to a method that is disabled for that group.

  1. System-preferred multifactor authentication

In EntraID, you can set this preferred method under Authentication Methods > Settings. This might force override the default method that was set to "No default", you should disable this setting. Or disable for the groups you want to enforce XFA for in case of a gradual roll-out.

  1. Registration Campaign

In EntraID, you can set a "Registration campaign" to help users get started with MFA under Authentication Methods > Registration campaign, this doesn't work with External Authentication Methods. It is best to disable this feature or exclude the groups for which you want to enforce XFA.

  1. Authentication Strengths

It is possible to create a conditional access policy (or use a Microsoft-managed one) that forces authentication strengths (Authentication Methods > Authentication Strengths) for users. However, this doesn't work with External Authentication Methods. It is best to disable this feature or exclude the groups for which you want to enforce XFA.

Use Conditional Access Policies

Conditional Access allows enforcing a specific MFA method based on certain conditions. You can create a policy that limits the available authentication methods for specific user groups, applications, and/or device platforms to XFA.

The Conditional Access Policies can be found in the Security > Conditional Access Policies section in Entra ID.

Troubleshooting

Encountering issues with your EAM integration? Check out our EAM Quick Troubleshooting Guide for solutions to common problems including:

  • UPN changes and login problems
  • Multiple active Microsoft sessions
  • Authentication fails with no clear error