![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 71%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
3,292 questions
Hello Aaron-0171,
The "Remember multi-factor authentication on trusted devices" feature is supported in both Microsoft Entra External ID and Azure AD B2C tenants. To confirm this, I performed a quick test in my own External ID tenant by enabling the "Remember multi-factor authentication on trusted devices" option for 7 days using the Per-user MFA service settings. Please refer to the screenshot below.
After enabling this setting, all users in my tenant were able to see the option on the login screen to remember the device for the number of days specified.
I conducted the test using a regular user in the tenant—not a local or guest (B2B) account.
It's important to note that this feature is not compatible with B2B users. The option will not appear for B2B users signing into invited tenants. In other words, if a user's identity is managed by an external identity provider rather than your own tenant, this feature will not be available. Reference: Remember multi-factor authentication – how the feature works.
To summarize:
- The feature is supported in both Entra External ID and Azure AD B2C tenants.
- It only works for users who are created in the same tenant.
- It does not work for B2B users signing into an external tenant.
Any local account created within your tenant will be managed under External Identities. One key observation is that the User Principal Name (UPN) format will vary between local accounts and internal users.
To help illustrate this, I'm attaching a screenshot from my demo tenant, which contains four different types of users:
To help illustrate this, I'm attaching a screenshot from my demo tenant, which contains four different types of users:
- CIAM Admin User – This user was created directly in my External ID (CIAM) tenant. As expected, the identity uses the format
CIAMDomain.onmicrosoft.comsince it is natively managed within the CIAM directory. - Hari – This user was created from the Azure portal using the "Create new external user" option. I provided a personal Microsoft account email address, so the authentication is handled by the personal Microsoft account system.
The key point here is that the UPN appears in the format
******@CIAMDomain.onmicrosoft.com, indicating that the user identity is managed externally and not natively within the CIAM tenant. - Signup Flow User – This account was created using a sign-up user flow, which also results in the user being managed by an external identity provider.
- Guest User – This user was invited from another tenant. Guest user identities will always show ExternalAzureAD as their source, indicating that they reside in a different directory.
So, to summarize: Local account identities are always managed by their respective identity providers (like personal Microsoft accounts, social IDPs, etc.)—not directly by your CIAM tenant.
I hope this information is helpful. Please feel free to reach out if you have any further questions. For a more detailed explanation with an example, please refer to the following Q&A post which discusses a similar scenario.