Can I invoke an Azure B2C custom policy with MFA without redirecting to a browser to complete login?

Question

Can I invoke an Azure B2C custom policy with MFA without redirecting to a browser to complete login?

Roei 51

We are trying to use Azure B2C to initiate login flows from our native mobile app without redirecting users to a browser to complete the login flow.

We understand that generally the built-in User Flows will all open a browser window on the device and then redirect users back to the app after the login is complete and this seems to be the case with the IEF Custom Policies as well.

We decided to use the ROPC flow in order to have an endpoint which our native mobile app can call to receive the access token, however we want MFA to be part of the login flow, and it seems based on Microsoft's documentation that ROPC flow is not compatible with MFA.

Docs Link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy
"ROPC doesn’t work when there is any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent)."

Is there a way to create a custom IEF policy in Azure B2C which will not redirect the user to a browser to complete the login but will also allow us to have MFA as part of the user journey?

Shweta Mathur 30,301 Reputation points Microsoft Employee Moderator

2022-11-04T03:45:39.02+00:00

Hi @Roei ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

1 answer

Your answer

Shweta Mathur 30,301 Reputation points Microsoft Employee Moderator

2022-11-04T03:45:39.02+00:00

Hi @Roei ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Answer 1

Hi @Roei ,

Thanks for reaching out and apologies for delay in response.

Azure AD B2C introduced client credential flow which is currently in public preview which can be used to authenticate without user interaction, but MFA require human interaction and it is not possible to authenticate with MFA without user interaction.
Human authentication requires browser surface to initiate/conduct the interaction between the token issuer (B2C here) and the human.

ROPC is the only flow not using the browser and hence it is not possible to implement MFA without redirect to browser.

Hope this will help.

Thanks,
Shweta

--------------------------------------

Please remember to "Accept Answer" if answer helped you.

Share via

Can I invoke an Azure B2C custom policy with MFA without redirecting to a browser to complete login?

1 answer

Your answer