The Case for an Independent MFA Layer in Microsoft Environments
The quiet shift no one talks about. Something happened over the past few years that most MSPs didn't plan for. Their customers moved to Microsoft 365, adopted Entra ID as their identity provider, and started using Microsoft Authenticator for MFA. It made sense at the time. It was simple, it was included in the license, and it worked.
But somewhere along the way, a strategic decision was made by default. Microsoft became the identity provider, directory, credential store, and MFA provider. All at once. Not because someone evaluated the options and decided it was the best architecture. But it was the path of least resistance.
For MSPs, this creates a problem that goes beyond technology. When your customers' entire identity stack sits with one vendor, you don't control the authentication experience. You don't set the policies. You don't manage the recovery process. And if that vendor changes something, raises a price, or has an outage, your customers feel it, and you have no alternative to offer.
Identity is infrastructure. Treat it like infrastructure.
We wouldn't run a business without backup for our data. We wouldn't operate without a recovery plan for our systems. But most organizations have no backup plan for their identity. Their entire authentication layer sits with a single provider, and if something goes wrong, or if that provider's roadmap diverges from their needs, there's no fallback.
The scale of this concentration is significant. According to Microsoft, Entra ID is one of the largest identity platforms in the world, processing billions of authentication requests daily. That's an extraordinary amount of trust placed in a single platform. For the vast majority of those organizations, especially in the SMB space, Microsoft isn't just one piece of their identity infrastructure. It is their identity infrastructure.
Microsoft's native MFA is solid. It works, and it's included in the license. That's not the issue. The issue is that configuring what's already included is not a managed service. It's maintenance. And when your customers can get basic MFA without you, your value as an MSP has to come from somewhere else: better policies, broader coverage, more methods, more control.
An MSP managing 30 customers on Entra ID with Microsoft's native MFA has no independent authentication layer.
If a Conditional Access policy behaves unexpectedly, the MSP is troubleshooting inside Microsoft's console with Microsoft's tools.
If a customer wants a different MFA experience for a specific set of users, the options are limited to what Microsoft offers.
And if the MSP wants to apply consistent authentication policies across Microsoft and non-Microsoft environments (VPN, endpoints, third-party apps), that's simply not possible with a single-vendor identity stack.
External MFA exists for exactly this reason
Microsoft introduced External MFA (formerly External Authentication Methods or EAM) in Entra ID to allow third-party MFA providers to integrate directly with the platform. The concept is straightforward: Microsoft remains the identity provider and handles the first factor. When MFA is required, Entra ID redirects the user to the external provider for the second factor. Once verified, access is granted.
For MSPs, this changes the conversation. You can offer a managed MFA experience that works inside Microsoft environments and extends to everything outside them. VPN, Windows login, macOS, third-party applications. Your own set of authentication policies that you control, one app that your customers' users interact with, and one platform that you manage for all your accounts. The identity layer becomes something you own as a service, not something you configure inside someone else's platform.
The question is straightforward: is the MFA you're offering today something your customers would pay you for? Or is it just a checkbox they could configure themselves? If it's the latter, an independent authentication layer is what turns identity from an operational cost into a service with real value.
The phishing-resistant layer that most SMBs are missing
Once you have an independent authentication layer, you can extend your offering beyond what a single-vendor identity stack allows.
Traditional MFA methods (push notifications, one-time codes) stop the vast majority of attacks. But advanced phishing techniques using real-time proxy attacks can intercept both the password and the MFA approval as they happen. According to the Verizon 2025 Data Breach Investigations Report, stolen credentials were the leading initial access vector in 22% of all breaches analyzed, and 88% of basic web application attacks involved the use of stolen credentials. These attacks are not theoretical, and they specifically target the people who matter most: executives, finance teams, anyone with access to sensitive data.
Phishing-resistant authentication methods like passkeys address this risk. Passkeys use biometrics tied to the real website, so a fake site simply cannot trigger the authentication. The user experience is familiar (fingerprint or face, the same as unlocking a phone), and the protection is fundamentally stronger against sophisticated attacks.
The practical question for MSPs is not whether to offer phishing-resistant authentication. It's where to start. Not every user needs the same level of protection. Executives and finance teams? Absolutely. The entire workforce on day one? Probably not. The ability to deploy passkeys alongside traditional MFA, choosing where to apply each method based on risk, is what makes this practical for real-world environments.
What this means for your business
If you're an MSP managing Microsoft environments, the opportunity is clear. Identity doesn't have to be something you configure inside someone else's platform. It can be something you own, control, and build a business on. An external MFA layer gives you that control. Phishing-resistant methods like passkeys give your customers protection that goes beyond what basic MFA provides. And the combination of both gives you something real to bring to every customer who runs Microsoft 365. And as cyber insurers increasingly distinguish between basic MFA and phishing-resistant methods, having an independent authentication layer with passkey support puts you and your customers ahead of those requirements, not scrambling to meet them.
The MSPs who recognize this early will be the ones who turn identity from an operational cost into a revenue line. Waiting means competing on price for something your customers can already get without you.
How AuthPoint Brings External MFA to Microsoft Environments
WatchGuard AuthPoint integrates with Microsoft Entra ID as an external MFA provider, enabling partners to offer a managed authentication experience that covers Microsoft environments and extends to everything else: VPN, Windows and macOS login, third-party SAML and OIDC applications, and the AuthPoint SSO portal.
AuthPoint supports push notifications, time-based one-time passcodes (TOTP), QR code verification, hardware token OTP, and FIDO2 passkey authentication. Zero trust policies in WatchGuard Cloud control which methods are available for each resource and user group, giving MSPs granular control over their customers' authentication experience.
The deployment model is built for MSPs. Multi-tenant management from WatchGuard Cloud means one console for all your accounts, with policy inheritance and delegated administration. On the end-user side, WatchGuard has completed a full UX refresh across all AuthPoint touchpoints over the past year: new agent for Windows, new agent for macOS, and a completely redesigned mobile app with dark mode, unified token management, and a simplified activation flow. The result is a consistent, modern authentication experience that reduces onboarding friction and support calls.
Passkey support and External MFA for Entra ID are both included with AuthPoint MFA and AuthPoint Total Identity Security licenses at no additional cost. Partners already working with AuthPoint can offer these capabilities to their customers by simply enabling them, with no license changes needed.
To learn more about identity security and how to protect access against credential-based threats, check out these posts on our blog: