Skip to main content

Configure XFA on Microsoft Entra ID with an External Authentication Method (EAM)


This is a beta feature, this feature will receive multiple updates and improvements in the coming weeks.

License requirements

To use External Authentication Methods, you need Entra P1 or P2 licenses for all your users (available standalone or included in Microsoft 365 Business premium and up).

Note: This guide assumes that you have an account set up with XFA for your organization and you're an admin for that organization on both XFA and a priviledged role administrator on Entra ID. If you do not have an account, you can create one at

To make sure that every device in your organization is secure, XFA can be configured on Entra ID to verify each device as part of the authentication of all applications connected to Entra ID. This guide will walk you through the steps to configure XFA as an External Authentication Method (EAM) and enforce it's usage.

Create an integration in XFA Dashboard

After logging in to the XFA Dashboard, navigate to the Integrations page, click on New and select Microsoft as the integration type. You'll receive the following information:

  • Client ID
  • Discovery URL
  • App ID

Keep this information handy as you'll need it in the next step.

Create an External Authentication Method in Entra ID

In Entra ID, navigate to Security > Authentication Methods and click on Add external method (Preview).

Name the method 'XFA' and fill in the Client ID, Discovery URL, and App ID that you received from the XFA Dashboard in the previous step. You'll need to click the Request permissions button to grant the necessary permissions to XFA.

You can now enable the external authentication method for all users in your organization to make it available as an MFA option before you save the external authentication method.

Next steps

XFA can now be used by all users, configured in the previous step, to complete the MFA process when logging in to an application connected to Entra ID. To make sure XFA is always used, you have the following options:

Remove other authentication methods

You can gradually turn off the other authentication methods (both new and legacy) for specific user groups to make sure that XFA is the only method available for users to authenticate, enforcing the device security check.

This can be done in the Security > Authentication Methods section in Entra ID.


Won't I lose my 2FA identity verification?
As XFA will completely replace the other authentication methods, an extra feature called 'silent MFA' will be released in the coming weeks. This feature will allow you to verify your identity through known devices which you've explicitly trusted with XFA.

Default sign-in method configured in Entra ID

In Entra ID, every user can have a default sign-in method configured under Users > (user) > Manage > Authentication Methods. Which will by default be the first method that the user registers. Make sure that when disabling a method by groups that the default sign-in method is not set to a method that is disabled for that group.

Use Conditional Access Policies

Conditional Access allows enforcing a specific MFA method based on certain conditions. You can create a policy that limits the available authentication methods for specific user groups, applications, and/or device platforms to XFA.

The Conditional Access Policies can be found in the Security > Conditional Access Policies section in Entra ID.