![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
For native authentication in an External ID (CIAM) tenant, registering a strong/MFA method is always driven by the native auth flows and APIs. At least one strong authentication method (email or SMS one-time passcode) is required for MFA-enabled users, but additional methods can also be registered by invoking the same “strong authentication method registration” flow again after sign-in.
Conceptually, registering an additional MFA method after the user is already signed in works the same way as when AuthMethodRegistrationRequiredState is triggered during sign-in:
- Start a strong authentication method registration flow from the signed-in session (client-side UX decision).
- Call the native authentication register strong authentication method APIs.
- Complete the challenge with
/register/v1.0/continueusing the OTP from the new email/phone. - On success, the new method is added to the user’s registered strong methods and becomes available for MFA challenges.
From the API perspective, the key step for completing registration is the continue call:
POST https://{tenant_subdomain}.ciamlogin.com/{tenant_subdomain}.onmicrosoft.com/register/v1.0/continue
?continuation_token=...
&client_id=...
&grant_type=oob
&oob={otp_code}
To support registering additional methods after login in a SPA:
- Ensure the app is configured with the strong authentication method registration capabilities (as in the Angular/React tutorials).
- Provide a “Manage security / Add MFA method” page in the SPA that:
- Uses the native auth JS SDK to initiate a register-strong-method flow for the signed-in user (email or SMS OTP).
- Guides the user through entering the new email/phone and verifying the OTP.
- Handle registration errors (for example,
provider_blocked_by_adminorprovider_blocked_by_rep) as documented in the native auth API reference.
In other words, to add another MFA method after login, invoke the same strong authentication registration flow (via native auth SDK + /register endpoints) from an authenticated context instead of waiting for AuthMethodRegistrationRequiredState during sign-in.
References:
- Tutorial: Register strong authentication method in an Angular single-page app by using native authentication JavaScript SDK
- Tutorial: Register strong authentication method in a React single-page app by using native authentication JavaScript SDK
- Tutorial: Enable multifactor authentication in an Angular single-page app by using native authentication JavaScript SDK
- Tutorial: Enable multifactor authentication in a React single-page app by using native authentication JavaScript SDK
- Native authentication API reference