Skip to main content

Microsoft Conditional Access Custom Controls

danger

Microsoft Entra ID (formerly Azure AD) Conditional Access Custom Controls is being deprecated and will no longer be supported by Microsoft on September 30, 2026. It will be replaced with Microsoft Entra ID. See Integrate Microsoft Entra ID External Authentication Methods. Entrust recommends migrating Custom Controls to External Authentication Methods.

See External MFA in Microsoft Entra ID is now generally available for more details.

You can configure Microsoft Conditional Access Custom Controls to use Identity as a Service for multi-factor authentication. To do this, you must add a Microsoft Conditional Access Custom Controls application to Identity as a Service. This integration guide describes how to integrate Microsoft Conditional Access Custom Controls with Identity as a Service. To integrate Microsoft Entra ID Active Directory with Identity as a Service, see Integrate Microsoft Entra ID active directory with Identity as a Service.

warning

You can configure one or more Microsoft Conditional Access Custom Controls applications for your Microsoft Entra ID custom tenant that can be used across all applications within that tenant. For example, you can create multiple Identity as a Service Microsoft Conditional Access Custom Controls applications and set each application to require a different authenticator.

To integrate Microsoft Conditional Access Custom Controls with Identity as a Service, complete the following steps:

Step 1: Complete the following prerequisites:

  1. Synchronize your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External.
  2. If you have not done so already, Create a gateway.
  3. Obtain the Microsoft Entra ID Tenant ID
    1. Log in to the Microsoft Entra ID portal.
    2. In the Navigation pane, click Microsoft Entra ID. The Directory Overview page appears.
    3. In the Manage section, click Properties.
    4. Copy the Directory ID. The Tenant ID and the Directory ID are the same.

Step 2: Add Microsoft Conditional Access Custom Controls OIDC to Identity as a Service

  1. Log in to an Identity as a Service account with a role that allows you to configure applications.

  2. Click > Security > Applications. The Applications List page appears.

  3. Click Add. The Select an Application Template page appears.

  4. Do one of the following:

    • Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

  5. Click Microsoft Conditional Access Custom Controls. The Add Microsoft Conditional Access Custom Controls General page appears.

  6. In the App Settings, Modify the Application Name and Application Description, if required.

  7. In the OIDC Settings, do the following:

    1. Optional. Set the Reauthentication Time to require users to reauthenticate after a predetermined amount of time.

    2. Select the OIDC Signing Certificate.

      note

      The Login Redirect URI and the Supported Scopes are selected by default.

    3. From the User ID Mapping Attribute drop-down list, select User ID to map the Microsoft Custom Access Controls incoming claim to the attribute used to find the user.

    4. Select Require Consent if you want the user to be prompted for consent for each request.

    5. Optional. Enter a Consent Message to include a message to users when consent is requested.

  8. In the Microsoft Conditional Access Custom Controls Settings, do the following:

    1. Select the Incoming Userid Claim from the drop-down list. The default is User Principal Name. This value is the incoming claim used by Microsoft Entra ID Directory to identify the user.

      note

      An Identity as a Service account that is synchronized with a corporate directory containing User Principal Name values, auto-populates the User Principal Name in the user profile information when directory synchronization occurs. This value is stored in the user’s User Principal Name system attribute. See Trigger on-demand synchronization to trigger an immediate directory synchronization.

      If the User Principal Name is not populated by directory synchronization, you must populate the user’s User Principal Name system attribute manually for every user integrated with Microsoft Conditional Access Custom Controls.

    2. In the Customer Tenant/Directory ID text box, enter the Microsoft Entra ID tenant ID, for example, a5a69e76-58be-4303-9339-9fe8f582523d.

  9. Copy and save the auto-generated Microsoft Conditional Access Custom Controls JSON Text. You need this text to configure the Microsoft Conditional Access Custom Controls at the Microsoft Entra ID Tenant site.

  10. Click Show Advanced Settings to configure advanced settings.

  11. Select Enable Organizations to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.

    note

    When organizations are enabled, the corresponding OIDC claims must also be configured.

  12. From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.

  13. Set the ID Token Timeout to the time (in minutes) that the ID token is valid before it expires.

  14. Click Save.

Step 3: Add a resource rule

See Create resource rules.

note

Set Skip Password as the first-factor authentication type and then set the second-factor authenticators that you want to use with Microsoft Entra ID.

Step 4: Configure the Microsoft Entra ID Tenant

You must configure the Microsoft Conditional Custom Access Controls Tenant for each Customer Tenant application that requires a custom control for multi-factor authentication. You must first configure a custom control and then configure the policies to prevent access to specific (or all) applications.

The Microsoft Conditional Access Custom Controls policy is similar to an Identity as a Service resource rule. The policy may apply to a specific user or the interface being used, for example. The policy can also enforce custom controls.

Step A: Configure custom controls

  1. Ensure that you have synchronized your Microsoft Entra ID users with Identity as a Service. See Synchronize Microsoft Entra ID External users with Identity as a Service and Sync an on-premises AD with Microsoft Entra ID External and Sync an on-premises AD with Microsoft Entra ID External.
  2. Go to the Microsoft Entra ID portal and log in to the Customer Tenant as an administrator.
  3. In the Home page, select Microsoft Entra Conditional Access.
  4. Under Manage, click Custom controls.
  5. Click New custom control.
  6. In the text box, enter the auto-generated Microsoft Conditional Access Custom Controls JSON Text that you copied in Step 2: Add Microsoft Conditional Access Custom Controls to Identity as a Service.
  7. You can change the Id value, if required, for example if you plan to define multiple custom controls. For example, "Id": "Identity as a Service MFA",
  8. Click Create.

Step B: Configure policies

  1. In the Microsoft Entra ID Conditional Access page, select Policies.

  2. Click New Policy. The New Policy dialog box appears.

  3. Under Assignments, select Users and groups.

  4. In the Include pane, select Select users and groups and select the specific set of users you want to associate with the policy.

  5. Click Done.

    danger

    Ensure that you do not select your initial admin user as a user of this policy as doing so can potentially lock you out of the Microsoft Entra ID portal.

  6. Under Assignments, click Cloud apps.

  7. Select to Include specific apps or ALL applications. The options are

    • None
    • All cloud apps
    • Select apps

  8. If you choose Select apps, click Select and then from the Applications list, select the specific apps you want to include.

  9. Click Select.

  10. Click Done.

  11. Under Access controls, click Grant.

  12. Under Select the controls to be enforced, select Grant access.

  13. Select Identity as a Service MFA (or select the required Id value of the custom control if you created several custom controls).

  14. Click Select.

  15. Toggle Enable policy to On.

  16. Click Create.

Step 5: Test the Microsoft Conditional Access Custom Controls

  1. Go to the Microsoft Entra ID portal.
  2. Log into Microsoft Entra ID with a user that you selected as part of the policy definition for conditional access.
  3. Enter the password. You are redirected to Identity as a Service for second-factor authentication.
  4. Respond to the second-factor challenge.
  5. Confirm that the user has logged in to the Microsoft Entra ID portal successfully.