If your organisation uses a third-party MFA provider — Duo Security, Okta Verify, RSA SecurID, or any other — and you have wired it into Microsoft Entra Conditional Access using Custom Controls, you have a hard deadline to act on. Custom Controls will stop accepting new configurations in September 2026 and will be completely retired in May 2027. Microsoft's replacement is External MFA, which is now generally available and delivers everything Custom Controls did — but with full Conditional Access integration that Custom Controls never had.
What Are Custom Controls and Why Are They Being Retired
Custom Controls were introduced as a workaround to let organisations use third-party MFA providers within Conditional Access before Microsoft had a proper integration model. When a user triggered a Custom Control policy, Entra redirected them to an external provider, received a "satisfied" token back, and treated the requirement as met — without any visibility into what actually happened.
The problem is precisely that opacity. Because Custom Controls operated outside Entra's evaluation engine, several things never worked properly with them:
- MFA reporting was incomplete — sign-in logs did not capture what method the external provider used
- PIM (Privileged Identity Management) was not supported — Custom Controls could not satisfy MFA requirements for role activations
- Risk-based Conditional Access was not supported — real-time risk signals could not factor in whether the external MFA was completed
- Continuous Access Evaluation was not supported — token revocation on risk events did not trigger a re-prompt of the external MFA
- Named locations and device state were ignored — external MFA results were not correlated with the rest of the session context
External MFA solves all of this
External MFA operates inside Entra's identity control plane. Microsoft Entra performs full policy evaluation on every sign-in — including real-time Conditional Access enforcement, sign-in risk assessment, PIM role activation, and Continuous Access Evaluation. The external provider satisfies the MFA claim, but Entra retains full visibility and control.
Retirement Timeline
Now — June 2026
External MFA is GA
Safe to migrate now. Full feature parity with Custom Controls plus the features Custom Controls never had.
September 30, 2026
Custom Controls retired
Adding new Custom Controls or editing existing ones will no longer be allowed. Existing configs may still function during a brief run-off period.
May 2027
End of life
Custom Controls stop functioning entirely. Any policy still using them will fail to enforce MFA, leaving access unprotected or blocked depending on your policy configuration.
Am I Using Custom Controls
To check: in the Microsoft Entra admin center, go to Protection → Conditional Access → Policies. Open each policy and look at the Grant controls section. Any policy showing a custom control (typically labelled with your provider name, such as "Require Duo MFA" or "RSA SecurID") is using Custom Controls and needs to be migrated.
Common providers used via Custom Controls that have External MFA support available include Duo Security (Cisco), Okta, RSA SecurID, and Ping Identity. Check your provider's documentation for their External MFA integration guide.
How to Migrate: Step by Step
Microsoft's migration guide outlines a phased approach. Do not attempt to swap all policies in one go — run a parallel test first.
Audit your existing Custom Controls policies
Document every Conditional Access policy that uses a Custom Control — which apps it protects, which users it applies to, and what the Custom Control is configured to require. This is your migration map.
Register your MFA provider as an External MFA authentication method
In the Entra admin center, go to Protection → Authentication methods → External authentication methods. Add your provider using the details from your provider's integration documentation. This step registers the provider with Entra and creates the trust relationship.
Test with a pilot group first
Add a small group of test users to the External MFA authentication method policy. Create a new Conditional Access policy in Report-only mode targeting those users, requiring External MFA as the grant control. Verify sign-in logs show the External MFA claim being satisfied correctly before proceeding.
Move users from Custom Control policies to External MFA policies
Migrate users in batches — move a group from the old Custom Control policy to the new External MFA policy, and confirm they can sign in successfully. Repeat until all users are migrated across all policies.
Disable and remove the old Custom Control policies
Once all users are migrated and verified, disable the old Custom Control policies and then delete them. Do not leave them in a half-migrated state — a policy that fails to evaluate its grant control after September 2026 will either block access or fail open depending on the policy configuration.
What You Gain by Migrating
Full MFA reporting
Sign-in logs show exactly which external method was used, by whom, and from which device and location.
PIM role activation support
External MFA can now satisfy the MFA requirement for Privileged Identity Management role activations — something Custom Controls never supported.
Risk-based CA enforcement
Real-time sign-in risk signals and user risk levels can now trigger the external MFA requirement dynamically.
Continuous Access Evaluation
Token revocation on high-risk events now works correctly — users get re-prompted for MFA when risk changes, not just at sign-in.
Official Microsoft References
- Microsoft Learn — Migrate from Custom Controls to External MFA in Conditional Access
- Microsoft Tech Community — External MFA in Microsoft Entra ID Is Now Generally Available
- Microsoft Tech Community — Microsoft Entra ID Security Updates: What Organisations Need to Do Now
- Microsoft Learn — Custom Controls in Microsoft Entra Conditional Access
- Microsoft Tech Community — What's New in Microsoft Entra: June 2026