Summary
Details
[What and Why]
Microsoft Entra ID is retiring Custom Controls in Conditional Access and replacing them with External MFA, a generally available, standards-based integration for third-party multifactor authentication (MFA) providers.
External MFA provides a more modern, supported, and standardized authentication experience while enabling organizations to continue using approved third-party MFA solutions with Conditional Access policies. This change helps improve long-term supportability, security, and interoperability.
[Rollout Schedule]
Key dates:
- September 2026: Administrators will no longer be able to create new Custom Controls or modify existing Custom Controls in Conditional Access policies.
- May 2027: Custom Controls will be fully retired and no longer supported.
[Impact on Your Organization]
Who is affected
- Organizations currently using Custom Controls in Microsoft Entra Conditional Access policies.
- Administrators responsible for Microsoft Entra ID and Conditional Access management.
- Organizations not using Custom Controls are not affected and do not need to take action.
Platforms/Services
- Microsoft Entra ID
- Conditional Access
- Third-party MFA providers integrated with Microsoft Entra ID
What will happen
- Existing Custom Controls will continue to function until retirement in May 2027.
- Beginning in September 2026, administrators will no longer be able to create new Custom Controls or modify existing Custom Controls.
- After retirement in May 2027, Custom Controls will no longer be supported.
- Organizations using Custom Controls must migrate affected Conditional Access policies to External MFA before retirement.
- No impact is expected for organizations that do not use Custom Controls.
[Action Required]
If your organization uses Custom Controls, action is required before May 2027.
Recommended actions:
- Review your Conditional Access policies and identify any policies that use Custom Controls.
- Configure your third-party MFA provider as an External Authentication Method.
- Update affected Conditional Access policies to use the standard Require multifactor authentication grant control.
- Validate authentication flows and confirm successful migration to External MFA.
- Remove all Custom Control references after migration is complete.
- Review the migration guidance: Migrate from custom controls to external multifactor authentication
Consider communicating this change to your identity, security, and help desk teams to ensure migration activities are completed before the retirement date.
[Compliance Considerations]
| Question | Answer |
| Does the change modify, interrupt, or disable Conditional Access policies? | Yes. Organizations currently using Custom Controls must update affected Conditional Access policies to use External MFA before Custom Controls are retired. |
| Does the change add any integration to third-party software products? | Yes. External MFA provides a standards-based integration model for third-party MFA providers. |
| Does the change include an admin control and can it be controlled through Entra ID group membership? | Yes. The configuration and migration are managed by administrators through Microsoft Entra ID and Conditional Access policy management. |
Change History
Never Miss a Microsoft 365 Update
Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.