AuthPoint: External MFA for Microsoft Entra ID
Microsoft has announced the General Availability of External Multifactor Authentication (MFA) in Microsoft Entra ID. If you’ve been following this as “EAM” or “External Authentication Methods,” it’s the same program. Microsoft updated the name as part of the GA release.
This means organizations can now use third-party MFA providers with Entra ID in production. WatchGuard AuthPoint will be available as an External MFA provider starting April 2026.
What changes for partners and customers
Until now, AuthPoint could protect Microsoft 365 sign-ins only when users were synced with an on-premises Active Directory server. If your users existed only in Entra ID, with no local AD, AuthPoint could not handle MFA for Microsoft 365. That was a Microsoft platform limitation, not a WatchGuard one.
External MFA removes that barrier. Partners and customers using Entra ID as their sole identity provider can now configure AuthPoint to satisfy MFA requirements for Microsoft 365, Azure services, and any application protected by Entra ID Conditional Access. No Active Directory, no SAML federation, no LDAP.
There’s also a practical benefit for end users. If your organization currently runs both Microsoft Authenticator and AuthPoint, you can consolidate into a single app. Users who already rely on AuthPoint for Windows login, VPN, or macOS can use the same app for Microsoft 365 sign-ins.
How we got here
This has been in the works for a while. WatchGuard joined Microsoft’s EAM preview program and opened a public beta for AuthPoint EAM (now External MFA) in April 2025. Partners have been testing and validating the integration since then. In October 2025, WatchGuard also introduced Entra ID directory synchronization in WatchGuard Cloud, so administrators can sync users and groups directly from Entra ID without maintaining a separate identity store.
The April launch is the culmination of that work.
What’s supported
AuthPoint as an External MFA provider supports Mobile Push Notifications, Time-based One Time Passcodes (TOTP), QR Code verification, and Hardware Token OTP. AuthPoint also supports FIDO2 passkeys for OIDC-based resources, including External MFA. Users can authenticate using device biometrics or a PIN, without needing the AuthPoint mobile app. AuthPoint zero-trust policies apply to all of these methods, whether users are signing in to Microsoft applications or other protected resources.
On the WatchGuard side, configuration happens in WatchGuard Cloud. On the Microsoft side, tenant administrators add AuthPoint as an external method through the Entra ID Admin Center and can target it to all users or specific groups via Conditional Access policies.
What’s not included in this release
This integration is for organizations using Entra ID as their identity provider. It does not cover on-premises Active Directory environments, LDAP connectors, or AD FS migration scenarios. For those setups, existing AuthPoint integration methods remain available. For more details, see our FAQ: AuthPoint and Microsoft Entra ID.
Requirements
You’ll need a Microsoft Entra ID P1 license or higher (this is a Microsoft requirement for External MFA), an active WatchGuard AuthPoint subscription, and access to the Microsoft Entra ID Admin Center to configure external authentication methods. Customers and partners maintain their own Entra ID tenant and subscription.
Get ready before GA
Partners can preview the External MFA integration today through WatchGuard’s early access program and start preparing their deployments ahead of the April GA. Full configuration guides and documentation will be published at GA.
Join the early access program on CenterCode.
Learn More
From WatchGuard:
- AuthPoint EAM Beta Announcement (April 2025)
- Entra ID Directory Synchronization for WatchGuard Cloud (October 2025)
- FAQ: AuthPoint and Microsoft Entra ID.
From Microsoft: