![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Mike Dooney
Thank you for reaching out to Microsoft Q&A.
Below is a step‑by‑step path to enable MFA and Conditional Access for your customer‑facing Microsoft Entra External ID tenant:-
What you can (and cannot) upgrade in External ID
External ID (customer/CIAM) doesn’t use Entra ID P1/P2 per‑user licenses.
External ID is billed by Monthly Active Users (MAU). The core features are free for the first 50,000 MAU, and premium add‑ons (including MFA/Conditional Access enforcement for consumer flows) are charged per MAU. You don’t assign P1/P2 licenses like you do in a workforce tenant.
For your reference: https://learn.microsoft.com/en-us/entra/external-id/external-identities-pricing
Conditional Access for workforce vs. external tenants:
Workforce tenants use P1/P2 licensing to enable Conditional Access. External ID enforces policies within customer flows and charges via MAU (premium add‑ons).
For your reference: https://learn.microsoft.com/en-us/entra/fundamentals/licensing
SMS in External ID: SMS is not available as first‑factor/authentication or SSPR; it is available as second‑factor with additional per‑MAU cost.
For your reference: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers
Resolution: enable MFA & Conditional Access in your External ID tenant
1) Link the External ID tenant to an Azure subscription (billing)
Sign in to Microsoft Entra admin center and switch to your External ID directory.
Go to Home → Billing and link the tenant to a subscription.
This enables usage‑based billing (MAU) and unlocks premium add‑ons.
Note: The tenant overview may still show “Microsoft Entra ID Free” even after linking—this is a known UI issue; billing status is visible under Billing.
For your reference: https://learn.microsoft.com/en-us/entra/external-id/external-identities-pricing
For your reference: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers
2) Turn on MFA and Conditional Access for customer flows
For External ID (CIAM) tenants, you configure authentication and CA within the external user journeys:
Review how authentication & Conditional Access apply to external identities and when cross‑tenant claims/trusts are honored.
For your reference: https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access
Plan Conditional Access similarly to workforce scenarios, but remember billing is MAU‑based in External ID.
For your reference: Plan Your Microsoft Entra Conditional Access Deployment - Microsoft Entra ID | Microsoft Learn
Typical steps in the External ID portal:-
In your External ID tenant, open the customer application (App registrations) you want to protect.
Configure the sign‑in user flows (or custom extensions) and then define Conditional Access policies that require MFA based on signals (app, location, user groups, etc.).
If you need SMS as second factor, enable it in the MFA methods—but note the additional per‑MAU charge.
3) If you instead meant workforce (internal) users in that tenant
If your “customer‑facing” tenant is actually being used to host workforce identities (admins, staff) and you want to use Conditional Access for them:
You do purchase Microsoft Entra ID P1/P2 per user and assign licenses; then configure Conditional Access policies.
Purchase options and activation steps are documented here:
https://learn.microsoft.com/en-us/entra/fundamentals/get-started-premium
https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-licensing
Why you were blocked “upgrading” to P1
The Microsoft 365 admin center is optimized for workforce licensing (assigning P1/P2 to internal users). For External ID, you won’t “see” a P1 SKU to buy for customers; you link to a subscription and enable MAU‑metered features instead.
For your reference: https://learn.microsoft.com/en-us/entra/fundamentals/get-started-premium
Please reach out to us in case of any further issue.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 74%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)