Azure B2C Customer Policy Login MFA implementation

Question

Add "Remember me for 60 days" checkbox in Azure B2C custom policy/ login screen after user provided User Name and Password and waiting for the MFA based OTP.

If user selected for this check box after providing the OTP, next login onwards (2nd time login) B2C should validate only the User Credentials not the MFA based OTPs. If user not selected this check box then as usual B2C should validate MFA based OTPs.

If User Selected for this check box and the check box time is expired (after 60 days) again it should enforce the MFA based OTP until again user selected "Remember me for 60 days" check box

So in Short In the following Log In scenarios we need to trigger the issue of an OTP by email to the given email address:

The very first time a user attempts to log into their Credentials on a new browser/device

Every time the user attempts to log into their Credentials on a known device/browser where the "remember me for 60 days" feature has not been activated

Every time the user attempts to log into their Credentials on a known device/browser where an active "remember me for 60 days" feature has expired

Answer 1

To achieve this

Define a custom claim in your custom policy

<ClaimType Id="rememberMe">
    <DisplayName>Remember Me</DisplayName>
    <DataType>boolean</DataType>
    <UserInputType>Checkbox</UserInputType>
</ClaimType>
<ClaimType Id="rememberMeTimeStamp">
    <DisplayName>Remember Me Time Stamp</DisplayName>
    <DataType>dateTime</DataType>
</ClaimType>

Update the custom UI to include a "Remember me for 60 days" checkbox.

Check if the "Remember me" claim is set and the timestamp.

<Predicates>
    <PredicateReference Id="IsRememberMeWithin60Days" DefaultValue="false" />
</Predicates>

<OrchestrationStep Order="X" Type="ClaimsExchange">
    <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
            <Inputs>
                <InputClaim ClaimTypeReferenceId="rememberMe" Value="true" />
            </Inputs>
            <SetClaims>
                <InputClaim ClaimTypeReferenceId="rememberMeTimeStamp" DefaultValue="{currentDateTime}" AlwaysUseDefaultValue="true" />
            </SetClaims>
        </Precondition>
    </Preconditions>
    ...
</OrchestrationStep>

If the claim is set and within 60 days, skip the MFA step.

<OrchestrationStep Order="Y" Type="ClaimsExchange">
    <Preconditions>
        <Precondition Type="IsRememberMeWithin60Days" ExecuteActionsIf="false">
            <NoAction />
        </Precondition>
    </Preconditions>
    ...
</OrchestrationStep>

Answer 2

Hi Vamsi,

To implement the "Remember me for 60 days" checkbox and the described login behavior in Azure B2C custom policies, you'll need to configure a custom policy that involves orchestration steps, technical profiles, and user journey logic. This is a somewhat complex task that requires customizing the policy XML. Below is a high-level outline of how you can achieve this: Custom Claim: Define a custom claim to store the "Remember me" checkbox status and the timestamp when the user last checked it. User Journey: Customize your user journey to include steps for the "Remember me" checkbox selection, MFA validation, and conditional validation based on the checkbox and its timestamp. Technical Profiles: Configure technical profiles to handle the "Remember me" logic, MFA, and conditional validation. User Flow: Update your user flow to include the custom logic you've defined in the custom policy.

Please note that this is a high-level outline, and the actual implementation requires detailed understanding of Azure B2C custom policies, XML configuration, and orchestration. Writing the complete custom policy XML is beyond the scope of this response.

Due to the complexity and the potential impact on security, it's crucial to thoroughly test your custom policy in a controlled environment before deploying it to production. Microsoft's official documentation and community resources can provide additional guidance and examples to help you create this custom policy.

Please refer to the official Azure AD B2C documentation for comprehensive instructions on custom policies. If you encounter specific issues or need further assistance with particular parts of the policy, feel free to ask for help.

Answer 3

Hi @Vamsi Krishna , you can use the remember multi-factor authentication feature. This feature allows users to bypass subsequent MFA verifications for a specified number of days after they've successfully signed in to a device using MFA.

To enable and configure this feature, follow these steps:

1. In the Azure portal, search for and select Azure Active Directory, and then select Users.
2. Select Per-user MFA.
3. Under multi-factor authentication at the top of the page, select service settings.
4. On the service settings page, under remember multi-factor authentication, select Allow users to remember multi-factor authentication on devices they trust.
5. Set the number of days to allow trusted devices to bypass multi-factor authentications. In your case, set it to 60 days.
6. Select Save.

Please note that this feature sets a persistent cookie on the browser when a user selects the "Don't ask again for X days" option at sign-in. The user isn't prompted again for MFA from that browser until the cookie expires.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James