This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 97%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
UseCase:
Invoke MFA only for certain high risk actions like fund transfer or change settings in an Authenticated Session. i.e user uses Azure AD B2C to login to our app with is configured with MFA. Once the user has successfully authenticated I would like to invoke MFA without invoking login flow for OIDC.
For Example in the below code, If the user is alredy logged it and MFA verified it does not re-prompt for MFA.
app.use('/auth/2fa', ensureLoggedIn, (req,res) =>{
console.log ("******In MFA Page******");
const state = JSON.stringify({ action: 'secure_page', targetURL: '/secure_page' });
const nonce = crypto.randomBytes(16).toString('hex');
passport.authenticate('oidc', {
scope: ['openid', 'profile', 'email'],
state: state,
nonce: nonce,
acr_values: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
})(req, res);
});
But if i add the additional attribute prompt as login, it prompts the login screen and then MFA. Which is not the behavior i am looking for.
app.use('/auth/2fa', ensureLoggedIn, (req,res) =>{
console.log ("******In MFA Page******");
const state = JSON.stringify({ action: 'secure_page', targetURL: '/secure_page' });
const nonce = crypto.randomBytes(16).toString('hex');
passport.authenticate('oidc', {
scope: ['openid', 'profile', 'email'],
state: state,
nonce: nonce,
acr_values: 'http://schemas.openid.net/pape/policies/2007/06/multi-factor',
prompt: 'login'
})(req, res);
});
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Pawan Venugopal,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you are looking for a solution to re-authenticate users using only MFA, without requiring both Password and MFA, for an Azure AD B2C application. You mentioned that you were able to prompt re-authentication by adding the "prompt=login" parameter in your request, even when the user had a valid session with Azure AD B2C. Please correct me if I’m wrong.
The "prompt=login" parameter forces users to enter their credentials, bypassing single sign-on. However, this revokes both first-factor (password) and second-factor (MFA) sessions with Azure. Currently, it is not possible to achieve re-authentication with only MFA in Azure AD B2C or Microsoft Entra.
I recommend submitting this feature request on the Microsoft Feedback Portal. It’s an excellent way to highlight the importance of this feature for your organization. You can provide details on how this change would benefit your use case, as Microsoft product engineers regularly review feedback there.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
Hello @Pawan Venugopal,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Pawan Venugopal,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.