Share via

Email MFA for specific users in AD B2C

Rets 21 Reputation points
2024-02-22T11:49:31.75+00:00

Hi, We want to implement email MFA for some users in our AD B2C, based on the flag in our database. Currently, we are using custom policies and have a P2 license. Could you provide an example for this scenario, if you have one available?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-02-22T19:39:54.0433333+00:00

    Hi @Rets you can use a combination of Azure AD B2C custom policies and Azure Functions. Here's an example of how you can do it:

    1. Create an Azure Function that sends an email with a verification code to the user's email address. You can use SendGrid or any other email service for this.
    2. In your AD B2C custom policy, add a new claims provider that calls the Azure Function to send the email with the verification code.
    3. Add a new technical profile that prompts the user to enter the verification code sent to their email address.
    4. Add a validation technical profile that validates the verification code entered by the user.
    5. In your AD B2C custom policy, add a new orchestration step that checks the flag in your database to determine whether to use email MFA or another MFA method.
    6. If the flag is set to use email MFA, call the claims provider and technical profiles you created in steps 2-4.
    7. If the flag is not set to use email MFA, call the other MFA method you want to use.

    Here's an example of what the technical profile for sending the email with the verification code might look like:

    TechnicalProfile Id="SendEmail">
  <DisplayName>Send email</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureFunctionProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://yourfunctionapp.azurewebsites.net/api/sendemail</Item>
    <Item Key="SendTimeoutInSeconds">30</Item>
    <Item Key="AuthenticationType">None</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_FunctionAppUsername" />
    <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_FunctionAppPassword" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
    <InputClaim ClaimTypeReferenceId="verificationCode" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="emailSent" DefaultValue="true" />
  </OutputClaims>
</TechnicalProfile>

    In this example, the technical profile uses the Azure Function protocol provider to call an Azure Function that sends an email with the verification code to the user's email address. The ServiceUrl metadata item specifies the URL of the Azure Function, and the InputClaims section specifies the email address and verification code to be sent in the email. The OutputClaims section specifies that the emailSent claim should be set to true after the email is sent. Please let me know if you have any questions and I can help you further. If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.