Share via

How to Restrict MFA to a Web Application to trigger mails

Trinadh 0 Reputation points
2025-06-18T07:41:18.6866667+00:00

How to Restrict MFA to a Web Application to trigger mails

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
25,026 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Nguyen 860 Reputation points Independent Advisor
    2025-06-19T02:40:20.43+00:00

    Hi @Trinadh ,

    Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

    Email OTP is only used for Self-Service Password Reset (SSPR) and B2B collaboration scenarios where users can’t be authenticated through other means, such as Microsoft Entra ID, Microsoft accounts (MSA), or social identity providers. That’s why Email is not included as a supported method in Microsoft Entra ID multi-factor authentication.

    Could you please confirm how you're planning to use Email OTP? If you're using B2B collaboration, it's important to note that Email OTP cannot be limited to just one app—it’s part of the required process for creating guest accounts in the resource tenant.

    Looking forward to your clarification so we can provide more targeted guidance.

    Kindly let me know if this work for you and please let me know if you have any further questions.

    If I have answered your question, please accept this answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

    Best regards,
    Eric

    0 comments
  2. VigneshwarDuvva-5247 1,990 Reputation points Moderator
    2025-06-19T02:41:57.27+00:00

    Hello @Trinadh

    There are no app-specific controls for Microsoft Entra ID MFA. If you are using AD FS with the on-prem version of MFA (server), you can force specific method per RPT, and more granularly via claims rules. But that's not available for the cloud version.

    To require Multi-Factor Authentication (MFA) specifically for a web application and trigger email notifications (such as MFA enrollment or method registration), you need to use Conditional Access policies in Microsoft Entra ID. Here how you we can configure

    Go to the Azure portal and select Microsoft Entra ID

    Navigate to Security > Conditional Access.

    1.Create a new policy:

    2.Users: Select the users or groups to whom the policy should apply.

    3.Cloud apps or actions: Select the specific web application you want to protect.

    4.Conditions: (Optional) Set conditions such as device state, ___location, or client app.

    5.Access controls: Under Grant, select Require multi-factor authentication.

    6.Enable and create the policy

    Result: Users will only be prompted for MFA when accessing the protected app, as per your Conditional Access policy.

    Currently, we do not have an option to configure an alert when any of the MFA methods is added, deleted or modified.

    But you can pull the report on which user has registered for which MFA method.

    You can get this report using Azure portal GUI.

    • Login to Azure portal with global admin credentials.
    • Go to Microsoft Entra ID.
    • Click on Security
    • Then click on Authentication Methods.
    • Now you can click on "User registration details" and "Registration and reset events".
    • This is the report that shows which user is registered for what authentication method in MFA.

    User's image

    User's image

    Let me know if you have any questions on this.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.