This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 56.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
I used a b2c starter pack to create my MFA B2C sign in policy with phone number as a factor. But for some reason it doesn't work as expected. First time when I sign in it work fine - the policy is asking me to verify my sign in via SMS and then I got a token. But when I run the flow immediately after my 1st sign in, it shows the same phone verification page while it shouldn't. I expect that it should silently sign me in without phone verification. So looks like MFA session is invalid. How to fix that?
The SocialAndLocalAccountsWithMfa starter pack by default includes the Sessions Manager technical profile which facilitates SSO if you have already signed into the same browser session. However, if your authentication request includes prompt=login parameter you will be forced to perform login again regardless of whether you have an active session and session cookie or not.
If you are using the Run Now endpoint, prompt=login parameter is specified by default at the end of the URL. If you have an active session and you try to sign-in using custom policy in a new tab within same browser session without prompt=login, you will be directly signed-in without having to enter the credentials and perform MFA again.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @AmanpreetSingh-MSFT
Thank you for the answer. However even though I remove prompt=login is's still not working and I got the same MFA page when logging in second time. But I don't need to enter a username and password. Do you have any other suggestions?
Hi @Vasilii Aleksandrov Please add <IncludeTechnicalProfile ReferenceId="SM-MFA" /> to SM-AAD technical profile in the TrustFrameworkBase file as highlighted below and test again.
Hi @Vasilii Aleksandrov Have you had a chance to test it out?
@AmanpreetSingh-MSFT I've just tested it and still having the same issue. Do you have any other ideas? Thank you in advance!
@Vasilii Aleksandrov I tested it in my lab and it is working for me. You can try signing up with my policy and test it out. You can try from scratch by using LocalandSocialAccountwithMFA starter pack or If required, I can share my policy files with you.
Also, make sure you have removed prompt=login from the run now url.
@AmanpreetSingh-MSFT Looks like your solution works! But I made one update in addition to yours: In PhoneFactor claims provider I changed <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" /> to <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
Looks like it fixes the issue. Do you think this update is correct?
@Vasilii Aleksandrov I don't think that's a valid fix as phone factor should use SM-MFA technical profile for session management. Since local account sign-in uses SM-AAD for session management and MFA session was not working as expected during sign-in, I included SM-MFA in SM-AAD technical profile. But changing UseTechnicalProfileForSessionManagement from SM-MFA to SM-AAD may cause unexpected behavior and shouldn't be done.
@AmanpreetSingh-MSFT Sorry for such a long time of my response - I was working on another urgent things.
So I don't think adding <IncludeTechnicalProfile ReferenceId="SM-MFA" /> works from me. I still see MFA request every time I try to sign in.
Do you have any other ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 81%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
@AmanpreetSingh-MSFT I am not the OP for this question, but for what it's worth, this solution did work for me. Thank you for the suggestion!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 47%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT Could you please share the policy files here. For me also adding <IncludeTechnicalProfile ReferenceId="SM-MFA" /> doesn't solve the issue
Hi The change you suggested is working for me now. (<IncludeTechnicalProfile ReferenceId="SM-MFA" />)It seems it took some time to get this updated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 7.000000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
Hi, I would recommend to Evaluate session lifetime policies, please use below URL for reference:-
In case after following the steps, still issue persists, please do mention.
Thanks,
Ravi
I believe the link you gave me is only applicable to a regular Azure Active Directory not to Azure AD B2C. My case is Azure AD B2C. Could you clarify? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 35%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
@AmanpreetSingh-MSFT
For mfa-email-or-phone custom policy how to configure MFA Session to skip MFA Prompt for Every sign in?
When I am testing Policy on Azure AD B2C Portal it will always prompt MFA dialog for both Email and Phone method,
How can we configure and Test MFA Session?
I am not sure what I am missing.
Thanks in advance for any suggestion
@Mepani Arvindkumar Vishram I've asked the same question and still didn't get an answer. I've also asked MS Support to help me with that. Their answer was like 'Its behavior is expected'. I am still not sure why it's expected and why the user should enter the code every time. I don't think it's correct.
Please, let me know if you solved the problem somehow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 56.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
I've seen the same behavior and added the following line to the AAD-UserReadUsingObjectId:
<OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
The issue is that the session manager relies on the Verified.strongAuthenticationPhoneNumber, which is not set when reading data from the directory. I've raised this issue last year in the advisors group, but haven't seen a follow up.
@Taeke Kooiker Thank you for your comment. But adding this like doesn't help in my case. Any other ideas?
Make sure that the claims that are stored in the SM-MFA are available in subsequent flows.
This is an issue in the starterpack, where Verified.strongAuthenticationPhoneNumber is stored in the session after MFA, but in AAD-UserReadUsingObjectId strongAuthenticationPhoneNumber is read back. Since that is not Verified.strongAuthenticationPhoneNumber, the session cannot be matched and isActiveMFASession is not set. Therfore the user is required to do MFA, again.
I've gotten confirmation that this is a known issue and an updated starter pack is on the backlog.
Sorry, but your suggestion doesn't work. Have you made any other changes in starter pack's policies? Looks like isActiveMFASession is definitely not set for some reason even though I used Verified.strongAuthenticationPhoneNumber
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 1%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
I think the problem is caused by 'Verified.OfficePhone' only being populated when it is a new number. If it has validated an existing number it remains empty.
Why 'SM-MFA' would persist that on the session? I haven't seen the logic in that yet.
In my TrustFrameworkExtensions I have added the TechnicalProfiles in attached file.
72733-pfsession.xml
Assumption is it will only progress from the PhoneFactor UI if validated.
The claim 'myMfaActionClaim' is a custom claim that holds the MFA method validated. It could then be emitted to the app.
I am not yet convinced this is a proper way of doing it, but it does have the effect of not re-validating as long as the session exists.
Maybe even for a very long time with KMSI.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 40%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
I can confirm that adding the code:
<OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
To the default policies works.
Hi @Vasilii Aleksandrov ,
If possible could you please share your custom azure ad b2c policy.
So, I can take a look and try atleast some configuration my policy to test MFA behaviour.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 37%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Great topic and awesome responses.
Is there a way to invoke MFA separately after login?
When user tries to access specific features I'd like to invoke the MFA step again. Is that possible to do using AD B2C Custom policies? I'm trying to invoke MFA only for specific parts of my application. I'd like my user to be able login based on password + mfa that only allows read-only access to more secure aspects of the site.