<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR00001AdbLa0AJOkta Classic EngineMulti-Factor AuthenticationAnswered2026-05-14T16:51:11.000Z2026-01-15T12:10:58.000Z2026-05-14T16:51:11.000Z

RossW.33813 (Customer) asked a question.

January 15, 2026 at 12:10 PM
Entra ID - External ID - SAML - MFA Strength

I have a requirement to provide access to an Okta tenant from external Entra ID but ensure the level of MFA meets our requirements.

 

I have configured Entra ID as an External Identity Provider (SAML) and picking up Authn information in the SAML assertion.

Adding user.profile. authmethods.contains("http://schemas.microsoft.com/claims/multipleauthn") to the CA policy ensures MFA has been used but I need to make sure email or sms hasn't been used.

Any guidance on whether the MFA type can be included in the SAML assertion or do I need to look at an OIDC integration and JWT tokens?

 

Thanks

 

  • 2 answers
  • 148 views

  • Paul S. (Okta, Inc.)

    Hello @RossW.33813 (Customer)​ Thank you for posting on our Community page!

     

    This should be achievable. You can try the below guidance on this issue:

    You need to configure Entra ID to send the Authentication Methods References (AMR). This indicates how the user authenticated.

    1. In Entra ID: Navigate to your Enterprise Application (the Okta integration). Under Attributes & Claims, add a new claim.
    2. Claim Name: amr (or a custom name like mfa_methods).

    Source Attribute: Use the transformation or attribute that maps to the authentication method.

     

    Note: Entra's SAML implementation doesn't always expose the granular "phone" vs "software token" via a simple dropdown. You may need to use Conditional Access Authentication Strengths in Entra to ensure the user is forced into a specific bucket before they even get to Okta.

    3. Source Attribute: Use the transformation or attribute that maps to the authentication method.

     

    Note: Entra's SAML implementation doesn't always expose the granular "phone" vs "software token" via a simple dropdown. You may need to use Conditional Access Authentication Strengths in Entra to ensure the user is forced into a specific bucket before they even get to Okta.

    4. In Okta: Map this incoming claim to a custom attribute in the Okta User Profile (e.g.,

    user.ext_amr_methods).

    5. Okta Policy: Update your Expression Language check:

    user.profile.ext_amr_methods.contains("fido") or !user.profile.ext_amr_methods.contains("sms").

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions. 

    Expand Post
    Selected as Best

  • Paul S. (Okta, Inc.)

    Hello @RossW.33813 (Customer)​ Thank you for posting on our Community page!

     

    This should be achievable. You can try the below guidance on this issue:

    You need to configure Entra ID to send the Authentication Methods References (AMR). This indicates how the user authenticated.

    1. In Entra ID: Navigate to your Enterprise Application (the Okta integration). Under Attributes & Claims, add a new claim.
    2. Claim Name: amr (or a custom name like mfa_methods).

    Source Attribute: Use the transformation or attribute that maps to the authentication method.

     

    Note: Entra's SAML implementation doesn't always expose the granular "phone" vs "software token" via a simple dropdown. You may need to use Conditional Access Authentication Strengths in Entra to ensure the user is forced into a specific bucket before they even get to Okta.

    3. Source Attribute: Use the transformation or attribute that maps to the authentication method.

     

    Note: Entra's SAML implementation doesn't always expose the granular "phone" vs "software token" via a simple dropdown. You may need to use Conditional Access Authentication Strengths in Entra to ensure the user is forced into a specific bucket before they even get to Okta.

    4. In Okta: Map this incoming claim to a custom attribute in the Okta User Profile (e.g.,

    user.ext_amr_methods).

    5. Okta Policy: Update your Expression Language check:

    user.profile.ext_amr_methods.contains("fido") or !user.profile.ext_amr_methods.contains("sms").

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions. 

    Expand Post
    Selected as Best

  • Sunil Kambojs.39345 (Customer)

    How to achieve this : Adding user.profile. authmethods.contains("http://schemas.microsoft.com/claims/multipleauthn") to the CA policy ensures MFA has been used"

     

    What I want to configure:

    EntraID IDP, Okta as SP, I tried to map custom attributes from the IDP assertion to Okta attributes using directory profile mapping. Tried to use that in the authentication policy expression, but it doesn't work well. Is there any documentation available to go over it?

    I do not intend to save the assertion values in the Okta user profile, so I am not using JIT. We only want to use the EntraID MFA for authentication and if its succesful, redirect user to the application or Okta dashboard.

    Expand Post

Loading
Entra ID - External ID - SAML - MFA Strength