This article explains how to configure Microsoft Entra ID to work seamlessly with Beyond Identity by preventing conflicts with Microsoft-native MFA. It outlines the required settings to avoid duplicate prompts, authentication loops, and sign-in failures when Beyond Identity is used as the MFA provider.
Overview
This article describes the required Microsoft Entra ID configuration to ensure authentication flows function correctly when using Beyond Identity.
Incorrect configuration—particularly involving legacy MFA or Conditional Access (CA) authentication strengths—can result in conflicting MFA prompts, authentication loops, or authentication failures.
Key Principles
When using Beyond Identity for MFA:
Microsoft-native MFA must not be enforced for affected users.
Conditional Access (CA) authentication strengths must be carefully reviewed.
Microsoft Authenticator must not be required for users authenticating with Beyond Identity.
Configuration Requirements
1. Disable Legacy MFA for Beyond Identity Users
Legacy per-user MFA conflicts with Beyond Identity authentication flows and must not be enabled for users authenticating with Beyond Identity.
Action:
Navigate to Microsoft Entra ID → Users → Per-user MFA
Ensure legacy MFA is disabled for all users authenticating via Beyond Identity
Important: Legacy MFA should not be enabled alongside Beyond Identity.
2. Review Conditional Access Authentication Strengths
Conditional Access authentication strengths can implicitly enforce Microsoft MFA methods—even when Beyond Identity is configured.
Important notes:
Authentication strengths are compatible with legacy MFA.
If a CA policy applies an authentication strength, Microsoft MFA may still be required—even if Beyond Identity is in use.
Action:
Review all Conditional Access policies.
If authentication strengths are configured:
Ensure they do not apply to users authenticating with Beyond Identity.
If authentication strengths are not explicitly required, do not configure them in CA policies.
Best practice: Use standard CA grant controls without authentication strengths when relying on Beyond Identity.
3. Avoid Enforcing Authentication Strengths Unless Required
If your environment does not require authentication strengths:
Do not add them to Conditional Access policies.
This prevents unintended enforcement of Microsoft MFA alongside Beyond Identity.
4. Exclude Beyond Identity Users from Microsoft Authenticator
Users authenticating with Beyond Identity must be excluded from Microsoft Authenticator enforcement.
Action:
Navigate to Microsoft Entra ID → Security → Authentication methods → Microsoft Authenticator
Exclude the user group that authenticates with Beyond Identity
5. Confirm No Conflicting Conditional Access Policies Apply
After configuration, verify that no Conditional Access policies enforce:
Legacy MFA
Authentication strengths that require Microsoft MFA
Mandatory use of Microsoft Authenticator
Also confirm that exclusions are correctly applied and not overridden by group nesting.
Summary Checklist
Before or after enabling Beyond Identity MFA, verify that:
✅ Legacy per-user MFA is disabled.
✅ No CA authentication strengths apply to Beyond Identity users.
✅ Microsoft Authenticator is excluded for these users.
✅ No overlapping CA policies enforce Microsoft-native MFA.
Common Symptoms of Misconfiguration
If the above steps are not followed, you may see:
Unexpected Microsoft Authenticator prompts
Duplicate MFA challenges
Authentication loops or failures
Inconsistent behavior across users or devices
These typically indicate overlapping or conflicting MFA enforcement.
Conclusion
Microsoft Entra ID supports Beyond Identity as an MFA provider, but correct configuration is essential to avoid conflicts with Microsoft-native MFA.
By disabling legacy MFA, carefully reviewing Conditional Access authentication strengths, and excluding Microsoft Authenticator, you can ensure a seamless and predictable authentication experience.
Where applicable, Beyond Identity will satisfy MFA requirements by providing the MFA claim in the token, as visible in Microsoft Entra sign-in logs.
For further assistance, please contact Beyond Identity Support.