Share via

Reset MFA method on Custon B2C Template Phone/Email

Leonardo A. Barbastefano 21 Reputation points
Nov 18, 2022, 10:34 AM

Hi All,

I used the template

"A B2C IEF Custom Policy - Sign in with MFA method choice (Phone/Email)"
https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-email-or-phone#a-b2c-ief-custom-policy---sign-in-with-mfa-method-choice-phoneemail

to enable Phone/Email MFA on my authentication flow and it worked fine.

But I am having a problem to reset MFA method. Let's say that john@Company portal .com pick phone MFA on his first login and after a couple weeks he wants to change to email MFA.

So I tried to use "Require re-register multifactor authentication" on azure portal like the image below but did not reset.

261894-image.png

Does anybody know how do I achieve this MFA reset when using "A B2C IEF Custom Policy - Sign in with MFA method choice (Phone/Email)"?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,209 questions
{count} votes

2 answers

Sort by: Most helpful
  1. James Hamil 25,636 Reputation points Microsoft Employee
    Nov 22, 2022, 11:11 PM

    Hi @Leonardo A. Barbastefano , I believe this thread details the same issue you're having. Jas does a good job explaining the solution:

    Add extension_mfaByPhoneOrEmail as an output claim in your profile edit technical profile. The starter pack uses the technical profile called SelfAsserted-ProfileUpdate.

    https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml#L909

    Then save the attribute to the directory by adding extension_mfaByPhoneOrEmail as a persisted claim to technical profile AAD-UserWriteProfileUsingObjectId.

    https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml#L796

    You can read about output claims here for SelfAsserted technical profiles here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/self-asserted-technical-profile#output-claims

    You can read about persisting data to the directory using the Azure AD technical profiles here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile

    Please let me know if this helps or if you have any questions!

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,
    James

    1 person found this answer helpful.

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.