Azure AD B2C MFA saves phone number with incorrect format (without space)

Question

Azure AD B2C MFA saves phone number with incorrect format (without space)

s k 11

Currently we trying to reset MFA in Azure B2C through Microsoft Graph API. The idea is to delete existing phone number in authentication methods, that at the next login user would be prompt for provide new one. We are using standard built-in user-flows for user login / registration.

The problem is that B2C during MFA registration stores phone number in authentication methods without space between country prefix and phone number (so in Azure Portal it’s +11112223333, and should be +1 1112223333). MFA works fine, but because of this:

we are not able to query for phone number with Graph Api (https://learn.microsoft.com/en-us/graph/api/authentication-list-phonemethods?view=graph-rest-beta&tabs=http ) – GET returns empty array;
we are not able to delete phone number with Graph Api (https://learn.microsoft.com/en-us/graph/api/phoneauthenticationmethod-delete?view=graph-rest-beta&tabs=http) – DELETE returns 404;

One workaround is POST new fake number with correct format through Graph Api and then delete it. Do you know is there better way to reset MFA or force B2C MFA to store phone number in correct format?

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2021-03-10T23:47:51.237+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James
Anonymous

2022-08-17T14:28:38.623+00:00

Is there any update on this? We are experiencing the same issue.
Anonymous

2022-08-17T14:29:09.717+00:00

@Chad Hasbrook
Tomas Salim 6 Reputation points

2022-11-03T20:09:01.553+00:00

Is there any update about this? Any ticket we can track?
apparao 6 Reputation points

2022-11-04T09:20:16.253+00:00

Hi All,

I am unable to save the MFA phone number without space in azure portal via custom policy ,can anyone provide the update on this ?
Martín Fernández 6 Reputation points

2022-12-20T14:47:56.443+00:00

I don't think that the space is related to this problem. I was able to hardcode a phone number when persisting it to the strongAuthenticationPhoneNumber attribute and it doesn't show up in the API either way.
AdamKozmic-7665 60 Reputation points

2023-08-29T19:32:16.1233333+00:00
Still seeing same behavior. I worked around the phone number missing the space in a convoluted way with a series of claims transformations that put the "space" back in between the countryCode and number because I thought that would fix it. Unfortunately, It looks like the strongAuthenticationPhoneNumber is saved off to the authentication methods in some weird "half-baked" state where its not enabled for signin, even with the space.

After the claim persists, it shows up in the user's Auth Methods page but with a blue box that says "This phone number can be used as a username to sign in. A text message will be sent for verification during sign-in." with a little "Enable" link. If you try to call the Graph API to retrieve the user's auth methods, it does not show up in the results.

However, if you click the "Enable" link in the UI, the blue box goes away and then the phone factor starts showing up in the API and all API methods work with it.

If you start in the UI and just enter a net-new phone number, you are forced to add a space between the country code and the national number via UI validation, and there is never a blue box, and it will show up in the API immediately like so:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('#REDACTED#')/authentication/phoneMethods", "value": [ { "id": "3179e48a-750b-4051-897c-87b9720928f7", "phoneNumber": "#REDACTED#", "phoneType": "mobile", "smsSignInState": "notAllowedByPolicy" } ] }

As of right now I have no workaround for how to obtain the users strongAuthenticationPhoneNumber via the API after being set via a custom policy.
Ana Stanciu 10 Reputation points

2024-05-14T14:32:32.43+00:00

I did the same, worked with claim transformation to insert the "space" and it did NOT solve the issue with MS Graph. Is this issue going to be fixed?

2 answers

Your answer

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2021-03-10T23:47:51.237+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James
Anonymous

2022-08-17T14:28:38.623+00:00

Is there any update on this? We are experiencing the same issue.
Tomas Salim 6 Reputation points

2022-11-03T20:09:01.553+00:00

Is there any update about this? Any ticket we can track?
apparao 6 Reputation points

2022-11-04T09:20:16.253+00:00

Hi All,

I am unable to save the MFA phone number without space in azure portal via custom policy ,can anyone provide the update on this ?
Martín Fernández 6 Reputation points

2022-12-20T14:47:56.443+00:00

I don't think that the space is related to this problem. I was able to hardcode a phone number when persisting it to the strongAuthenticationPhoneNumber attribute and it doesn't show up in the API either way.
AdamKozmic-7665 60 Reputation points

2023-08-29T19:32:16.1233333+00:00

Still seeing same behavior. I worked around the phone number missing the space in a convoluted way with a series of claims transformations that put the "space" back in between the countryCode and number because I thought that would fix it. Unfortunately, It looks like the strongAuthenticationPhoneNumber is saved off to the authentication methods in some weird "half-baked" state where its not enabled for signin, even with the space.

After the claim persists, it shows up in the user's Auth Methods page but with a blue box that says "This phone number can be used as a username to sign in. A text message will be sent for verification during sign-in." with a little "Enable" link. If you try to call the Graph API to retrieve the user's auth methods, it does not show up in the results.

However, if you click the "Enable" link in the UI, the blue box goes away and then the phone factor starts showing up in the API and all API methods work with it.

If you start in the UI and just enter a net-new phone number, you are forced to add a space between the country code and the national number via UI validation, and there is never a blue box, and it will show up in the API immediately like so:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('#REDACTED#')/authentication/phoneMethods", "value": [ { "id": "3179e48a-750b-4051-897c-87b9720928f7", "phoneNumber": "#REDACTED#", "phoneType": "mobile", "smsSignInState": "notAllowedByPolicy" } ] }

As of right now I have no workaround for how to obtain the users strongAuthenticationPhoneNumber via the API after being set via a custom policy.
Ana Stanciu 10 Reputation points

2024-05-14T14:32:32.43+00:00

I did the same, worked with claim transformation to insert the "space" and it did NOT solve the issue with MS Graph. Is this issue going to be fixed?

Answer 1

Dallas Lopez 5

This is still a known issue at Microsoft. I put in a ticket with them and they replied, stating that is a known bug with no timeline on a fix. This could have changed since I last spoke with them...

In IEF, how I'm handling a workaround is with the following:

First, write the user to the user to b2c, so that I have an object ID to work with. Then, create an app service (function in my case) with a restful endpoint. Pass the phone number - with proper formatting - and object ID to that restful endpoint using a rest technical profile. From there, make a graph call using the objectID for the user to the authenticationMethods and set the phone number there.

This is the high level approach that has worked for me so far.

Stephen Aitchison 0 Reputation points

2025-01-15T21:12:32.6133333+00:00

Hi there,

We have implemented a similar set of common functionality provided by a Function App in Azure - that will perform the Phone MFA by add, update or delete features as required by the user/auth flows.

This makes sure it's available and in the correct format as required.
Divyjot Minhas 5 Reputation points

2025-01-16T14:19:03.02+00:00

Hi Dallas,

Thanks for the reply. When you say "Pass the phone number" - How are you querying it ? As with this incorrectly formatted phone number can't be queried using Graph, are there any alternate methods that you're querying it using? Or is this process happening right at the signup and you're passing the phone number along to the Function app right then and there.

This is a problem I've been facing for more than month now and Azure support isn't great and I'd like to retroactively fix our user base, but not sure that's possible at the moment. Thanks!

Answer 2

James Hamil 27,221 Microsoft Employee Moderator

Hi @s k , we have an issue ticket raised for this that we are working on. When it is finished we will let you know, hopefuly soon!

Best,
James

LO-atlas 1 Reputation point

2022-07-06T22:00:17.967+00:00

@James Hamil do you have any status updates o that ticket or anynwhere we can track it?
Sam Mooney 1 Reputation point

2022-07-26T15:52:55.557+00:00

Is there an update on the status? I've been looking but unable to find anything. If there is a link to the ticket or a way we can follow the status, please let us know. Thx - Sam
apparao 6 Reputation points

2022-11-04T09:20:06.997+00:00

Hi All,

I am unable to save the MFA phone number without space in azure portal via custom policy ,can anyone provide the update on this ?
Stephen Aitchison 0 Reputation points

2023-05-03T22:32:18.1966667+00:00

Hi @James Hamil - or anyone at MS - any update on how to resolve this? I'm getting this from the ConvertStringToPhoneNumberClaim Claim Transformation method, to convert country code and number to a 'phoneNumber' Claim Type - which has no space in the phone number. However interacting with this using Graph API (i.e. from a managed/support bespoke portal) this causes formatting issues, and needs a space between Country Code and Phone number. Seems like a disconnect from the IEF Development Team and the Azure AD / B2C portal Development team?
Divyjot Minhas 5 Reputation points

2024-12-18T17:54:45.9466667+00:00

Hi James. By any remote chance that you see this - Was there ever a workaround given for this? This still seems to be an issue 3 and a half years later and I can't find a way of querying these phone numbers.Thanks.

Share via

Azure AD B2C MFA saves phone number with incorrect format (without space)

2 answers

Your answer