How to implement per-user MFA on Azure AD B2C

Question

How to implement per-user MFA on Azure AD B2C

Andrew Rajcoomar 0

I am trying to implement per-user MFA on Azure AD B2C so we can support a segment of our external customers with MFA offered as an option. I have successfully tested MFA when it's on at the user-flow (policy) level (for all users). However, when I enable it at a per-user level, I get an error "Invalid username or password" using the same test account I previously tested MFA ON/OFF with. Below are my test cases and results - the last test case may be unnecessary but I added it to show that regardless of the state of MFA at the user flow level, if it's enabled per-user, I get the error message.

User's image

I reviewed the "Sign-in logs" and ran a diagnosis on one of the failed attempts and got this back...which doesn't make sense because when I click on the link I see valid sign-in methods and my default which is my phone.

"Based on the information you provided the user [redacted] was trying to sign into CPIM PowerShell Client but the user sign-in was interrupted for required setup of Multi-Factor Authentication (MFA).

This can happen when the user is required to set MFA up for the first time or when an admin has set their account to require a new proofup for some reason.

This interrupt can be avoided next time by having the user finish the MFA setup (also known as "proofup"). If the user has not finished the MFA setup you can direct them to https://mysignins.microsoft.com/security-info. This means the user would simply configure and verify the additional authentication methods for MFA. For example, if using the Microsoft Authenticator App, the user can use the scan QR Code or use the code & url provided to add a sign-in method.

After proofup is done the user will be able to sign-in for the application they were trying to use."

Andrew Rajcoomar 0 Reputation points

2023-09-29T00:39:34.95+00:00

No takers? MS?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-09-29T02:10:20.93+00:00

Hello @Andrew Rajcoomar , what documentation or process are you following to enable per-user MFA for Azure AD B2C accounts? Are these work or consumer accounts? In case its the latter, are they local or social?
Andrew Rajcoomar 0 Reputation points

2023-09-29T13:17:47.65+00:00

@Alfredo - ALFREDO REVILLA

I am testing with a local account created on B2C. I created a user flow using the OOTB Sign-in user flow and am running the user flow from within B2C. I can successfully sign in with the account when MFA is set to "Off" or when MFA is set to "Required" at the Sign-in user flow level. However, if I enable MFA at the user account level (see image below - from B2C, Users->Per-user multifactor authentication->Select user->Enable), regardless of whether MFA is Off or Required at the Sign-in user flow level, the sign in fails with "Invalid username or password". I know the issue is not the credentials because if I do enter the wrong password, I get the correct error "Incorrect password".
Niek Jannink 0 Reputation points

2024-01-16T15:35:26.6966667+00:00

I'm running into the same problem. When I try to enable per-user MFA for our local (admin) accounts the sign-in fails for these accounts even though the password and email are correct. Only way to enable MFA is to enable it for the entire Azure AD B2C directory forcing all our consumers to configure MFA what we don't want at this moment. @Andrew Rajcoomar / @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA did you find a solution for this?

1 answer

Your answer

Andrew Rajcoomar 0 Reputation points

2023-09-29T00:39:34.95+00:00

No takers? MS?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-09-29T02:10:20.93+00:00

Hello @Andrew Rajcoomar , what documentation or process are you following to enable per-user MFA for Azure AD B2C accounts? Are these work or consumer accounts? In case its the latter, are they local or social?
Andrew Rajcoomar 0 Reputation points

2023-09-29T13:17:47.65+00:00

@Alfredo - ALFREDO REVILLA

I am testing with a local account created on B2C. I created a user flow using the OOTB Sign-in user flow and am running the user flow from within B2C. I can successfully sign in with the account when MFA is set to "Off" or when MFA is set to "Required" at the Sign-in user flow level. However, if I enable MFA at the user account level (see image below - from B2C, Users->Per-user multifactor authentication->Select user->Enable), regardless of whether MFA is Off or Required at the Sign-in user flow level, the sign in fails with "Invalid username or password". I know the issue is not the credentials because if I do enter the wrong password, I get the correct error "Incorrect password".
Niek Jannink 0 Reputation points

2024-01-16T15:35:26.6966667+00:00

I'm running into the same problem. When I try to enable per-user MFA for our local (admin) accounts the sign-in fails for these accounts even though the password and email are correct. Only way to enable MFA is to enable it for the entire Azure AD B2C directory forcing all our consumers to configure MFA what we don't want at this moment. @Andrew Rajcoomar / @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA did you find a solution for this?

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Andrew Rajcoomar, per-user MFA does not apply to Azure AD B2C consumer accounts, only to work accounts. If you want to enable MFA for consumer accounts, you have to do it through User Flows or Custom Policies and/or Conditional Access.

For more information take a look at Enable multifactor authentication in Azure Active Directory B2C.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Share via

How to implement per-user MFA on Azure AD B2C

1 answer

Your answer