Documentation
incode.com
  1. Integrations Ecosystem
  2. IAM Integrations

Microsoft Entra EAM

An External Authentication Method (EAM) lets users satisfy Microsoft Entra ID's MFA requirements through an external provider. This page covers configuring Incode as an EAM in your Entra environment and describes the use cases this enables.

Prerequisites

Ensure you have the following before you begin:

  • Access to the Integrations page in Dashboard. Contact your Incode Representative if you do not see it.
  • A Workflow created for the integration.
  • An active Microsoft Entra ID P1 or P2 subscription.
  • A Microsoft Entra administrator account with appropriate privileges.

Understand What This Enables

After Incode is registered as an EAM, it can be used in the following scenarios:

  • SSPR & MFA recovery: Redirect users who forgot a password or who cannot satisfy MFA to Incode for biometric and document verification before completing the reset.
  • External authentication: Add Incode as a high-assurance check before granting access to apps or workflows through Entra Conditional Access.
  • New-hire onboarding: Verify legal identity before activating Entra credentials for new employees.

Understand How It Works

When a user is required to authenticate with Incode, Entra redirects them to an Incode verification session. The session requirements are determined by the Workflow linked to the integration. After the session completes, Incode returns a result to Entra to confirm the user's identity.

For use cases that include claims matching, Incode reads the user's profile from the Entra directory and matches verified attributes from their government-issued ID against that record. A successful match is required before the Entra action is allowed to proceed. If claims do not match, the session is routed to manual review.

The Microsoft Entra Directory Sync page describes directory sync configuration, including which Entra user attributes Incode uses.

Set Up Entra EAM Integration

Create the Integration in Dashboard

  1. Log in to Dashboard.
  2. In the left menu, click Integrations.
  3. Click New Integration.
  4. From the IAM tab, click Microsoft Entra EAM, then click Continue.
  5. Enter a Name for this integration.
  6. Select a Workflow for this Integration from the drop-down.
  7. Copy the following values from the integration to use in the next set of steps:
    • Client ID
    • Discovery Endpoint
    • Authorize URL
  8. Click Save.

Register an Application in Microsoft Entra

  1. Log in to your Microsoft Entra Admin Center as an administrator.
  2. Go to App Registrations > New Registration.
  3. Configure the registration:
    • Name: Enter a name for the application.
    • Supported account types: Select Single tenant.
    • Redirect URI: Select the Web platform and paste the Authorize URL from the previous set of steps.
  4. Click Register and copy the generated App ID.

Add Incode as an External Authentication Method

  1. Go to Protection > Authentication Methods > Policies.
  2. Click + Add External Method (Preview).
  3. Configure the external method:
    • Name: Enter a display name—for example, Incode. This is the name users see when selecting an authentication method at login.
    • Paste the Client ID, Discovery Endpoint, and Authorize URL from the previous sets of steps into the respective fields.
  4. Click Request permission to grant admin consent for the Incode authenticator. Check Consent on behalf of your organization and click Accept.
  5. Toggle Enable to On.
  6. Click + Add Target to select the users or groups that should use Incode as an EAM. By default, the policy applies to all users.
  7. Click Save.

Test the Integration

  1. Sign in to a Microsoft application with an account in your configured target group.
  2. After entering your password, confirm you are prompted to verify your identity with Incode.
  3. Complete the verification session and confirm that sign-in proceeds successfully.
⚠️

Warning

Entra EAM through Conditional Access policies currently allows users to select Sign in another way and authenticate with a different enrolled factor, bypassing Incode. See Authentication Strengths & Conditional Access with Incode EAM for guidance on restricting this.


Updated about 18 hours ago

What’s Next