Skip to main content

Multi-Factor Authentication (MFA)

Questions about Modern Authentication? Review this resource page for more information

core concept

Applications which migrate to Entra ID in FY26 without MFA enabled will not require any additional application specific configuration or code changes to enforce MFA in FY27.


This topic covers Multi-Factor Authentication (MFA) in Entra ID from two perspectives:


In this article: App team MFA requirements as part of thier migration activities - and important considerations for those who've already migrated.

📖 Learn More: See the Guiding Questions below

In this article: What your application's end users can expect to see when signing in via Entra ID and, depending on certain scenarios, what to do next.

📖 Learn More: Review the User Experience section

Guiding Questions

From an application team perspective, these brief questions will help you determine what's required (or not) when migrating to Entra ID, which in turn will dictate the end user experience.

Does your application require MFA?
Have you already configured MFA for your application in Entra ID?

User Experience

Modern Authentication users

Users who have moved to Modern Authentication are already using MFA for all logins, and thus will not see any change in authentication from their current sign-in experience.

This section depicts the user experiences and prompts users may encounter while trying to authenticate an application that has transitioned from PwC ID to Entra ID with Multi-Factor Authentication (MFA) enabled.

End users may have different experiences depending on whether they have installed and set up MFA on their mobile devices and/or tablets. If users have not set up MS Authenticator when attempting to log into an MFA-enabled application, they may be prompted to do so.

End users can also proactively set up MFA by referring to the Microsoft Authenticator Setup QRG.

Microsoft Entra ID Login Page

Post-migration, your app will redirect users to a page that looks like this for authentication ⤵️

  • This 'Sign in' prompt will also appear for users accessing the app from an incognito / inPrivate browser.

  • Users will skip this page if they already have an active Entra ID session on their browser, in which case they should expect to be automatically signed into the application.

Here, users will enter their email address and click    

In All Environments

The username / email should be entered in the following format:

John.Doe@pwc.com


Modern Auth Users

Immediately after entering their email address on the above Login Page, users who have completed their Modern Auth transformation will then be prompted to approve the sign-in as shown here ➡️


From here, users will open the MS Authenticator application on their mobile device and enter the number shown to complete their sign in.

first-time Modern Auth sign-ins will prompt to enroll an MFA factor

Keep Me Signed In (KMSI) Prompt

Users will see this "Keep Me Signed In" (KMSI) prompt ➡️

  • ☑️ Each day when logging into the app for the first time
  • ☑️ Any time they access the app using an incognito browser

Selecting     will cache a persistent Single Sign On (SSO) cookie which reduces number of login prompts the user should expect to see.


Regardless of their   /   selection, users will then return to the application's configured redirectURL / homepage, and authentication is considered complete.


MFA Factor Enrollment

If your application has MFA enabled and users have either:

  • Not installed the Microsoft Authenticator app on their mobile device or
  • Installed the app but not registered their PwC Profile:

They will be prompted with this pop-up when attempting to log into your application ➡️

Here, users should click    


From this screen ➡️

  • If users have already installed the MS Authenticator app on their mobile device, click  

  • If not, click Download now, configure the app and, when finished, click    



On their mobile device, if prompted to allow notifications, please allow.


Next, the user will need to add an account.

They should see the + sign option, and should then select Work or School account.



On the next dialog box, select Scan a QR code.

After scanning the QR code via the Microsoft Authenticator application, the user should click Next on their PC.



After scanning the QR code, users should then see this screen on their PC along with a number:

They will be asked to enter the code on their mobile app. After entering the code, click    

This page indicates their mobile app has been successfully registered to the PwC tenant. They may now select    


Once the user has completed installing MS Authenticator, they will be prompted for MFA approval during sign-in, as depicted in the Modern Auth User Experience

note

If end users experience any MS Authenticator related issues, instruct them to reach out to their local service desks.