A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
MFA not triggering for users created via Graph API in Entra External ID but works for portal-created users
Issue: When a user is created directly in the Entra admin portal and logs in through our application, MFA is triggered. When a user is created via Graph API and logs in through the same application, MFA is not triggered.
We compared both users via Graph API, and they are identical:
Things we have already checked:
- No user flows exist in the tenant; a third-party identity provider acts as the authentication layer and enforces MFA during login
- Compared both users via Graph API: all attributes are identical
- No Conditional Access policies targeting external users
- MFA is not configured via Entra user flow: it is enforced by the third-party identity provider during sign-in
Question: Is there any attribute automatically set by the Entra admin portal during user creation that is not set via Graph API that could affect MFA behavior in Entra External ID? Is there a hidden attribute, tenant-level default, or internal property that the portal sets which the Graph API does not expose?
Any suggestions or guidance are highly appreciated. We want to understand what the portal sets differently at a deeper level than what the Graph API exposes, so we can replicate it in our API provisioning payload and ensure consistent MFA behavior for all users, regardless of how they are created.