Restrict Authentication Method Used by B2C users

Question

Restrict Authentication Method Used by B2C users

Ray 0 Microsoft Employee

Customer is leveraging Entra ID B2C feature and want to enforce MFA when users connect to the VPN. Customer wants that when doing MFA, only internal users can be able to use Microsoft Authenticator as 2nd factor, for external users, only SMS will be possible. Is it possible to block external users for adding sign-in methods (for example from https://aka.ms/mysecurityinfo) so that only the allowed methods required by the customer can be used? I'm looking for some recommendations and best practices to achieve that.

2 answers

Your answer

Answer 1

Marilee Turscak-MSFT 37,206 Microsoft Employee Moderator

Hi @Ray ,

You can leverage Conditional Access to enforce Authenticator for some users and SMS for others. https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-user-flow#verification-methods

The B2C MFA methods need to be configured via custom policy and you need to use the TOTP custom policy to implement the Authenticator app for customers. https://github.com/azure-ad-b2c/samples/tree/master/policies/totp

(See also the example [here]

(https://stackoverflow.com/questions/76040239/allowing-multiple-user-selectable-mfa-registration-methods-with-azure-ad-b2c-us).)

Ray 0 Reputation points Microsoft Employee

2024-03-06T23:28:53.0966667+00:00

Hi @Marilee Turscak-MSFT ,

Thanks for the update. As mentioned in my below comment, customer says that they could not leverage user flow / custom policy for the target app (Pulse Secure PCS). However they still want to block external user identities in the B2C tenant from adding their own authentication methods (Authenticator App in this case), will it be possible?

Customer has already configured MFA with authenticator app installed on a corporate managed phone, and wants that the number matching only be performed against the corporate phone (external users shouldn't be able to install authenticator on their personal devices to bypass this security control)

Answer 2

Pinaki Ghatak 5,600 Microsoft Employee Volunteer Moderator

Hello Ray

Enforcing MFA for VPN Users:

Microsoft Entra ID integrates directly with VPNs to enable multi-factor authentication (MFA), adding a second layer of security to sign-up and sign-in experiences.

You can configure MFA on a per-user basis or leverage MFA via Conditional Access.

Restricting Authentication Methods in B2C:

Azure Active Directory B2C (Azure AD B2C) offers multiple methods for multi-factor authentication, including email, SMS, phone call, and authenticator app. However, it seems there's no direct way to restrict users from adding specific sign-in methods. You might need to handle this from the application side or use custom policies.

Blocking External Users from Adding Sign-In Methods:

There's no direct method to restrict users from adding private accounts. However, you can try disabling the access to add accounts after the user adds the work accounts. Another approach is to limit the number of accounts that a user can add in the client app.

Best Practices for MFA I'd suggest:

Focus on Ease of Use: Make sure the MFA process is user-friendly.
Utilize Variety of Authentication Factors: Integrate OTPs, biometric methods, and magic links into your MFA flow.
Educate Users on Multi-factor Authentication: Make sure your team understands that MFA is there to support them and protect their accounts.
Use Multi-factor Authentication Across Organization: Apply MFA across all business applications, systems, networks, and processes.

I hope this helps.

Ray 0 Reputation points Microsoft Employee

2024-03-06T23:12:23.7266667+00:00

Hi @Pinaki Ghatak ,

Thanks a lot for taking time providing clarities on this matter.

The specific case that the customer has is as below:

Customer has an AAD B2C tenant and created external user accounts. These external users accounts are MFA enabled with Authenticator app. The authenticator App is installed on a corporate managed phone, and then customer gives the account to external users.

Their VPN application (Pulse Secure PCS, from Azure Market Place) is not web based and customer says that they could not use User flow to configure MFA settings.

What customer wants to achieve is that: When external user tries to connect to the VPN application to access customer's internal applications, external users will need to call the customer's team to get the code displayed on the corporate managed phone where the Authenticator App is installed - and then connect to the VPN. Customer does not want external users to be able to install Authenticator App on their personal mobile phone so that each VPN connection must be validated by customer's team by providing the code to the end user.

However, customer noticed that external users can use the https://aka.ms/mysecurityinfopage and add Authenticator App on their personal device to bypass the control. So customer wants to know whether it's possible to block this?

After checking Microsoft documentations, I do not see any possible way to block external users from adding their own methods. Also, external users can use https://aka.ms/mysecurityinfo and delete the Authenticator App configured by customer and try to add a new one.

Could you please share more info on "There's no direct method to restrict users from adding private accounts. However, you can try disabling the access to add accounts after the user adds the work accounts. Another approach is to limit the number of accounts that a user can add in the client app."? I'm not sure if it applies to my case since these accounts are external and are not work accounts and they are not adding account in the client app.

Many thanks in advance

Share via

Restrict Authentication Method Used by B2C users

2 answers

Your answer