![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 47%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EER%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello Edgar Rocha,
This is expected behavior in Azure AD B2C when SMS MFA is enabled.
In B2C, the SMS is sent before Conditional Access is checked, so it can still be billed even if access is blocked later. Also, hiding the sign-up link (setting.showSignupLink = false) only changes what users see. The sign-up technical profiles were still reachable, which is how automated requests were able to create users.
What you’ve done with Front Door and Cloudflare is the right long-term approach. To prevent this going forward:
- Keep Front Door / Cloudflare with bot protection and rate limiting
- Remove the sign-up technical profiles and related steps from the custom policy (not just the UI link)
- Avoid SMS where possible and use Email OTP or an authenticator app
- Add CAPTCHA if sign-up is ever enabled again
To confirm the fix, try signing in using the same policy URL with an email that doesn’t exist. The sign-in should fail and no new user should be created.
For the refund, I’ve shared the steps with you in a private message on how to create a support ticket with the Billing team, who will handle that separately.
References: