How to add a custom button to totp page in Azure B2C custom policy flow?

Vadim Kh 0 Reputation points
2023-05-13T19:07:24.22+00:00

I had a requirement to have an optional MFA setup for the user, and I need to offer the option to the user to skip the MFA setup, it will be based on an interval, for example at signing on each 10 days user will see an MFA setup page and will have 2 options enable it or skip it.

I am using Custom Policy with MFA. It works fine, but needs such a fancy combination in some cases, it will be based on the user's custom attribute if it is allowed then the user can skip, else he should set up MFA.

Thanks.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,006 Reputation points Microsoft Employee
    2023-05-16T06:05:52.66+00:00

    Hi @Vadim Kh ,

    Thanks for reaching out.

    I understand you are trying to setup conditional MFA setup for users, with the option to skip MFA based on custom attribute.

    You first need to create a custom attribute for users that indicates whether they are allowed to skip MFA setup.

    Add claims transformation to check the user's custom attribute.

    <ClaimsTransformation Id="CheckMFAAllowance" TransformationMethod="CompareClaimValue">
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="extension_MFAAllowance" TransformationClaimType="inputClaim" />
      </InputClaims>
      <InputParameters>
        <InputParameter Id="compareTo" DataType="string" Value="allow" />
      </InputParameters>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_MFAAllowed" TransformationClaimType="outputClaim" />
      </OutputClaims>
    </ClaimsTransformation>
    

    If the attribute value is set to "allow", the policy should skip the MFA setup page and allow the user to sign in without MFA. If the attribute value is not set to "allow", the policy should require the user to complete MFA setup before allowing sign-in.

    Based on this custom attribute value, you can you precondition step in your user journey to skip the MFA step.

     <Preconditions>
                <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                  <Value>extension_MFAAllowed</Value>
                  <Action>SkipThisOrchestrationStep</Action>
                </Precondition>
              </Preconditions>
              <ClaimsExchanges>
                <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
              </ClaimsExchanges>
            </OrchestrationStep>
    

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.