One-line summary
Similar updates
More like thisDetails
Body (from Message Center)
[What and Why]
Microsoft Entra ID is retiring Custom Controls in Conditional Access and replacing them with External MFA, a generally available, standards-based integration for third-party multifactor authentication (MFA) providers.
External MFA provides a more modern, supported, and standardized authentication experience while enabling organizations to continue using approved third-party MFA solutions with Conditional Access policies. This change helps improve long-term supportability, security, and interoperability.
[Rollout Schedule]
Key dates:
- September 2026: Administrators will no longer be able to create new Custom Controls or modify existing Custom Controls in Conditional Access policies.
- May 2027: Custom Controls will be fully retired and no longer supported.
[Impact on Your Organization]
Who is affected
- Organizations currently using Custom Controls in Microsoft Entra Conditional Access policies.
- Administrators responsible for Microsoft Entra ID and Conditional Access management.
- Organizations not using Custom Controls are not affected and do not need to take action.
Platforms/Services
- Microsoft Entra ID
- Conditional Access
- Third-party MFA providers integrated with Microsoft Entra ID
What will happen
- Existing Custom Controls will continue to function until retirement in May 2027.
- Beginning in September 2026, administrators will no longer be able to create new Custom Controls or modify existing Custom Controls.
- After retirement in May 2027, Custom Controls will no longer be supported.
- Organizations using Custom Controls must migrate affected Conditional Access policies to External MFA before retirement.
- No impact is expected for organizations that do not use Custom Controls.
[Action Required]
If your organization uses Custom Controls, action is required before May 2027.
Recommended actions:
- Review your Conditional Access policies and identify any policies that use Custom Controls.
- Configure your third-party MFA provider as an External Authentication Method.
- Update affected Conditional Access policies to use the standard Require multifactor authentication grant control.
- Validate authentication flows and confirm successful migration to External MFA.
- Remove all Custom Control references after migration is complete.
- Review the migration guidance: Migrate from custom controls to external multifactor authentication
Consider communicating this change to your identity, security, and help desk teams to ensure migration activities are completed before the retirement date.
[Compliance Considerations]
| Question | Answer |
| Does the change modify, interrupt, or disable Conditional Access policies? | Yes. Organizations currently using Custom Controls must update affected Conditional Access policies to use External MFA before Custom Controls are retired. |
| Does the change add any integration to third-party software products? | Yes. External MFA provides a standards-based integration model for third-party MFA providers. |
| Does the change include an admin control and can it be controlled through Entra ID group membership? | Yes. The configuration and migration are managed by administrators through Microsoft Entra ID and Conditional Access policy management. |
Raw JSON (for debugging)
Show/hide raw
{
"snapshot_item": {
"action_required_by": "2027-04-30T07:00:00Z",
"ai_action_required_by": null,
"ai_actions": [
"Review Conditional Access policies for Custom Controls usage",
"Configure third-party MFA as External Authentication Method",
"Update policies to use Require multifactor authentication grant control",
"Validate authentication flows post-migration",
"Remove all Custom Control references after migration",
"Communicate change to identity, security, and help desk teams"
],
"ai_master_tags": [
"Admin",
"Security",
"Compliance"
],
"ai_model": "gpt-4.1",
"ai_summary": "Microsoft Entra is retiring Custom Controls in Conditional Access, requiring migration to External MFA for third-party provider integration, improving support, security, and interoperability.",
"ai_topics": [
"Entra"
],
"category": "planForChange",
"details_map": {
"Summary": "Microsoft Entra ID is retiring Custom Controls in Conditional Access by May 2027, replacing them with External MFA for standardized third-party MFA integration. Administrators must migrate policies by September 2026, updating Conditional Access to use External MFA to ensure continued support and security."
},
"id": "MC1422061",
"importance": 4,
"is_major_change": true,
"last_modified": "2026-07-09T21:50:56Z",
"ms_products": [
"Entra"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Microsoft Entra"
],
"severity": "normal",
"tags": [
"User impact",
"Admin impact",
"Retirement"
],
"title": "Microsoft Entra ID: Retirement of Custom Controls in Conditional Access and migration to External MFA"
}
}