Share via

How to configure Azure AD B2C Custom policy for Multi-tenant with MFA (Email/Phone/Authenticator App)

Satish Rabari 0 Reputation points
2023-06-08T11:50:15.54+00:00

I am seeking assistance in creating a custom policy specifically for sign-in with multi-factor authentication (MFA) in a B2C tenant. The MFA options include email, app, or phone. However, when using email as the MFA method, the email address must not be the same as the sign-in email. For example, if the sign-in email is ******@moon.com, the MFA email must be ******@sun.com.

 All above work with Multi-tenant and only for sign-in policy.

Could you kindly provide guidance on the above request?                                                          

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-06-13T09:46:50.86+00:00

    @Satish Rabari

    Thank you for your time and patience. Based upon your ask that signin email must be different from email used to complete MFA I tried some customization with this sample https://github.com/azure-ad-b2c/samples/blob/master/policies/mfa-email-or-phone/policy/SignUpOrSignin_PhoneOrEmailMFA.xml

    I found that during OrchestrationStep "MFA with email", claims are exchanged via Technical profile**: EmailVerifyOnSignIn**

    <!--Sample: MFA with email-->
        <OrchestrationStep Order="11" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>email</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="Email-Verify" TechnicalProfileReferenceId="EmailVerifyOnSignIn" />
          </ClaimsExchanges>
        </OrchestrationStep>
    • This Technical profile does output "readonlyEamil" with partner claim type to PartnerClaimType="Verified.Email" which can't be controlled via custom policy. Hence it did not let me get OTP on another email address.
    <TechnicalProfile Id="EmailVerifyOnSignIn">
          <DisplayName>EmailVerifyOnSignIn</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="readOnlyEmail" />
          </InputClaims>
          <OutputClaims>
            <!-- Required claims -->
            <OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true" />
            <OutputClaim ClaimTypeReferenceId="readOnlyEmail" PartnerClaimType="Verified.Email">
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="AAD-UserWriteMFAMethod"></ValidationTechnicalProfile>
          </ValidationTechnicalProfiles>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
        </TechnicalProfile>

    I would recommend to post this feature on our feedback portal along with the business impact it will have. I would vote for the same.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.