Clarify Entra External MFA and passkey positioning

Author: phaupt

docs/.vitepress/theme/components/EntraIntegrationFlow.vue

@@ -70,7 +70,7 @@ function startAnimation() {
           <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="5" y="2" width="14" height="20" rx="2" ry="2"/><line x1="12" y1="18" x2="12.01" y2="18"/></svg>
         </div>
         <div class="entra-flow-label">Mobile ID</div>
-        <div class="entra-flow-sublabel">SIM or App authentication</div>
+        <div class="entra-flow-sublabel">Provider-side method is selected</div>
       </div>
 
       <div class="entra-flow-arrow" :class="{ 'entra-flow-arrow--active': phase >= 4 }">

docs/.vitepress/theme/components/EntraUseCaseCards.vue

@@ -9,29 +9,29 @@ const useCases = [
   {
     icon: 'cloud',
     title: 'Microsoft 365 & Cloud Apps',
-    desc: 'Secure access to Outlook, Teams, SharePoint and other cloud applications with Mobile ID as MFA — for every employee, on every device.',
-    methods: ['SIM', 'App'],
+    desc: 'Secure access to Outlook, Teams, SharePoint and other cloud applications. Entra consumes the external MFA result while Mobile ID runs the strong method.',
+    methods: ['SIM', 'App', 'Passkey'],
     color: 'blue'
   },
   {
     icon: 'shield',
     title: 'VPN & Remote Access',
-    desc: 'Protect VPN gateways, Citrix, VDI and remote desktop sessions. Mobile ID SIM works even on basic phones without app installation.',
+    desc: 'Protect VPN gateways, Citrix, VDI and remote desktop sessions. SIM and App both work well for out-of-band MFA in client-driven and remote-session journeys.',
     methods: ['SIM', 'App'],
     color: 'green'
   },
   {
     icon: 'lock',
     title: 'Privileged Access',
-    desc: 'Enforce stronger authentication for admin accounts and sensitive systems. Mobile ID provides multiple strong methods to protect privileged access.',
-    methods: ['SIM', 'App'],
+    desc: 'Require an external MFA step for admin accounts and sensitive systems. Entra decides when MFA is needed; Mobile ID handles the provider-side method.',
+    methods: ['SIM', 'App', 'Passkey'],
     color: 'pink'
   },
   {
     icon: 'users',
     title: 'Hybrid & Field Workforce',
-    desc: 'Field workers without smartphones use SIM-based MFA. Office staff use the App with biometrics. One provider, every scenario covered.',
-    methods: ['SIM', 'App'],
+    desc: 'Cover mixed workforces with one provider: SIM for users without smartphones, App for smartphone users, and passkeys for browser-centric journeys where enabled.',
+    methods: ['SIM', 'App', 'Passkey'],
     color: 'teal'
   }
 ]

docs/oidc-integration-guide/cloud-integration-guide.md

@@ -4,23 +4,38 @@ This chapter covers a few Mobile ID integration scenario examples with popular p
 
 ## Microsoft Entra ID
 
-[MobileID](https://www.swisscom.ch/mid) integrates with Microsoft Entra ID using External MFA, enabling Multi-Factor-Authentication (MFA) for Entra ID logon. MobileID provides seamless inline user enrolment, self-service device management, and supports a range of authentication methods, including highly secure crypto-SIM tokens and app-based push authentication for iOS and Android, with advanced options such as Number Matching and Geofencing.
+[MobileID](https://www.swisscom.ch/mid) integrates with Microsoft Entra ID using External MFA. In this model, Entra ID remains the identity platform and hands the MFA step to MobileID as the external provider.
+
+Within the broader Mobile ID ecosystem, strong user authentication can be fulfilled with **Mobile ID SIM**, **Mobile ID App**, and **Mobile ID Passkeys**. Microsoft Entra ID does not need to understand or configure these internal methods individually. It consumes the successful result of the Mobile ID provider flow.
 
 In 2020, Microsoft announced plans to replace custom controls with a new method for integrating third-party authentication. MobileID has been working closely with Microsoft to deliver an authentication solution for Microsoft External MFA, previously known as External Authentication Methods (EAM), available from May 2024 and generally available since March 2026.
 
-MobileID via External MFA is fully recognized as a multifactor authentication method within Entra ID, meeting MFA policy requirements. Once MobileID is defined as an External MFA provider, you can create Entra ID conditional access policies with MFA using MobileID and assign these to specific users, groups, or applications.
+MobileID via External MFA can satisfy the standard **Require multifactor authentication** grant control in Entra ID Conditional Access and is managed alongside the other authentication methods in Entra ID. It is not identical to every built-in Entra method, however: Microsoft does not currently support External MFA with Authentication Strengths.
 
 ::: info
 External MFA in Microsoft Entra ID is now generally available. For the current Microsoft guidance, see the [GA announcement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/external-mfa-in-microsoft-entra-id-is-now-generally-available/4488926), [How to manage external MFA in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage), and the [Microsoft Entra External MFA method provider reference](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider). External MFA replaces Custom Controls, which Microsoft plans to deprecate on September 30, 2026.
 :::
 
+### How the Entra External MFA Hand-off Works
+
+Microsoft Entra ID talks to the external provider through the **OIDC implicit-flow pattern documented by Microsoft for External MFA**. In practice, Entra ID sends a request to the MobileID authorization endpoint with parameters such as `response_type=id_token`, `response_mode=form_post`, and an `id_token_hint` that identifies the user and tenant.
+
+MobileID validates that Entra context, runs the provider-side authentication journey, and returns a signed `id_token` to Entra ID. Entra ID validates the returned claims and decides whether the MFA requirement is satisfied.
+
+This separation is important for documentation and operations:
+
+- **Entra ID** decides when MFA is required and consumes the external MFA result.
+- **Mobile ID** decides how the user authenticates inside the provider journey.
+- Method-specific controls from the standard Mobile ID OIDC integration, such as ACR values or passkey `keyringId` handling, are **not configured in the Entra admin center**.
+
 ### Sign-in Flow
 
 ![entraid-sign-in-flow](/img/entraid-sign-in-flow.png)
 
 ### Known Limitations
 
 - Users must specifically select the MobileID External MFA option during authentication. If they have other MFA methods configured besides MobileID, they may need to click "Other options" on the Microsoft "Verify your identity" prompt in order to choose MobileID.
+- Microsoft Entra ID does not expose Mobile ID-specific method selection. Whether Mobile ID uses SIM, App, or Passkey inside the provider journey depends on the user's activated methods and the Mobile ID provider-side configuration for that Entra integration.
 - Cross-tenant user authentication with MobileID External MFA has limitations. It will only work if:
   - The external Microsoft Entra organization trusts MFA claims from the user's home tenant.
   - The user has already established a valid MFA claim by authenticating to an application within their home tenant before accessing the cross-tenant application.
@@ -96,7 +111,7 @@ If you have multiple Entra ID authentication methods enabled, you may need to cl
 
 <img src="/img/entraid-other-options.png" alt="entraid-other-options" width="500">
 
-You will be redirected to the MobileID prompt or user enrolment, depending on your configuration.
+You will be redirected to the MobileID provider journey, where MobileID either starts user enrolment or prompts for one of the enabled authentication methods, depending on your configuration.
 
 Once you complete the MobileID authentication, you'll return to Entra ID to finish logging in to the application.
 

docs/oidc-integration-guide/passkey-authentication.md

@@ -6,6 +6,12 @@ MobileID Passkeys are now live in the production environment as a **freshly laun
 
 MobileID now supports **FIDO2 Passkeys** as an authentication method within the OpenID Connect service. Relying Parties can allow their users to authenticate using MobileID Passkeys - alongside or instead of the existing MobileID SIM, App, and OTP SMS methods.
 
+::: info Scope: standard Mobile ID OIDC vs. Entra External MFA
+This page documents the **standard Mobile ID OIDC relying-party integration**, where the RP uses the authorization code flow and can request Mobile ID-specific ACR values, passkey scopes, and `keyringId` handling.
+
+**Microsoft Entra ID External MFA is a different integration pattern.** In that model, Entra ID calls the external provider with its own OIDC implicit-flow profile and consumes only the provider result. The Entra admin center does not expose these Mobile ID-specific ACR or passkey controls. See [Public Cloud Integration / Microsoft Entra ID](/oidc-integration-guide/cloud-integration-guide#microsoft-entra-id).
+:::
+
 ## What Are Passkeys?
 
 The MobileID ecosystem already offers several proven authentication methods: **MobileID SIM** (SIM-based authentication), **MobileID App** (push-based authentication on iOS and Android), and **OTP SMS**. With the introduction of **FIDO2 Passkeys**, MobileID now adds a modern, phishing-resistant authentication option to its portfolio - giving Relying Parties and their users even more flexibility to balance security and convenience.