Microsoft Entra EAM

An External Authentication Method (EAM) lets users satisfy Microsoft Entra ID's MFA requirements through an external provider. This guide covers configuring Incode as an EAM in your Entra environment and describes the use cases this enables.

Prerequisites

Before you begin, ensure you have:

• Access to the Integrations page in the Incode Dashboard. Contact your Incode Representative if you do not see the Integrations page.
• A Workflow created for the integration
• An active Microsoft Entra ID P1 or P2 subscription
• A Microsoft Entra administrator account with appropriate privileges

What This Enables

Once Incode is registered as an EAM, it can be used in the following scenarios:

• SSPR & MFA recovery: Redirect users who forgot a password or cannot satisfy MFA to Incode for biometric and document verification before completing the reset.
• External authentication: Add Incode as a high-assurance check before granting access to apps or workflows via Entra Conditional Access.
• New-hire onboarding: Verify legal identity before activating Entra credentials for new employees.

How It Works

When a user is required to authenticate with Incode, Entra redirects them to an Incode verification session. The session requirements are determined by the Workflow linked to the integration. Once the session completes, Incode returns a result to Entra to confirm the user's identity.

For use cases that include claims matching, Incode reads the user's profile from the Entra directory and matches verified attributes from their government-issued ID against that record. A successful match is required before the Entra action is allowed to proceed. If claims do not match, the session is routed to manual review.

For directory sync configuration, including which Entra user attributes Incode uses, see Microsoft Entra Directory Sync.

Set Up Guide

Step 1: Create the Entra EAM Integration in Incode

1. Log in to Dashboard.
2. In the left navigation, click Integrations.
3. Click New integration.
4. From the IAM tab, click Microsoft Entra EAM, then click Continue.
5. Enter a Name for this integration.
6. Use the drop-down to Select a Workflow for this Integration.
7. Copy the following values from the integration to use in Step 2:
   • Client ID
   • Discovery Endpoint
   • Authorize URL
8. Click Save.

Step 2: Register an Application in Microsoft Entra

1. Log in to your Microsoft Entra Admin Center as an administrator.
2. Navigate to App registrations > New registration.
3. Configure the registration:
   • Name: Enter a name for the application.
   • Supported account types: Select Single tenant.
   • Redirect URI: Select the Web platform and paste the Authorize URL from Step 1.
4. Click Register and copy the generated App ID.

Step 3: Add Incode as an External Authentication Method

1. Navigate to Protection > Authentication Methods > Policies.
2. Click + Add External Method (Preview).
3. Configure the external method:
   • Name: Enter a display name (for example, Incode). This is the name users see when selecting an authentication method at login.
   • Paste the Client ID, Discovery Endpoint, and Authorize URL from Steps 1 and 2 into the respective fields.
4. Click Request permission to grant admin consent for the Incode authenticator. Check Consent on behalf of your organization and click Accept.
5. Toggle Enable to On.
6. Click + Add Target to select the users or groups that should use Incode as an EAM. By default, the policy applies to all users.
7. Click Save.

Testing

1. Sign in to a Microsoft application with an account in your configured target group.
2. After entering your password, you should be prompted to verify your identity with Incode.
3. Complete the verification session and confirm that sign-in proceeds successfully.

🚧

Known limitation: Entra EAM via Conditional Access policies currently allows users to select Sign in another way and authenticate with a different enrolled factor, bypassing Incode. See Authentication Strengths & Conditional Access with Incode EAM for guidance on restricting this.