Restrict Authentication Method Used by B2C users

Ray 0 Reputation points Microsoft Employee
2024-02-29T09:33:26.3033333+00:00

Customer is leveraging Entra ID B2C feature and want to enforce MFA when users connect to the VPN. Customer wants that when doing MFA, only internal users can be able to use Microsoft Authenticator as 2nd factor, for external users, only SMS will be possible. Is it possible to block external users for adding sign-in methods (for example from https://aka.ms/mysecurityinfo) so that only the allowed methods required by the customer can be used? I'm looking for some recommendations and best practices to achieve that.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,837 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,298 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,811 Reputation points Microsoft Employee
    2024-02-29T23:43:16.8633333+00:00

    Hi @Ray ,

    You can leverage Conditional Access to enforce Authenticator for some users and SMS for others. https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-user-flow#verification-methods

    The B2C MFA methods need to be configured via custom policy and you need to use the TOTP custom policy to implement the Authenticator app for customers. https://github.com/azure-ad-b2c/samples/tree/master/policies/totp

    (See also the example [here]

    (https://stackoverflow.com/questions/76040239/allowing-multiple-user-selectable-mfa-registration-methods-with-azure-ad-b2c-us).)


  2. Pinaki Ghatak 3,830 Reputation points Microsoft Employee
    2024-03-01T19:26:50.7433333+00:00

    Hello Ray

    Enforcing MFA for VPN Users:

    Microsoft Entra ID integrates directly with VPNs to enable multi-factor authentication (MFA), adding a second layer of security to sign-up and sign-in experiences.

    You can configure MFA on a per-user basis or leverage MFA via Conditional Access.

    Restricting Authentication Methods in B2C:

    Azure Active Directory B2C (Azure AD B2C) offers multiple methods for multi-factor authentication, including email, SMS, phone call, and authenticator app. However, it seems there's no direct way to restrict users from adding specific sign-in methods. You might need to handle this from the application side or use custom policies.

    Blocking External Users from Adding Sign-In Methods:

    There's no direct method to restrict users from adding private accounts. However, you can try disabling the access to add accounts after the user adds the work accounts. Another approach is to limit the number of accounts that a user can add in the client app.

    Best Practices for MFA I'd suggest:

    1. Focus on Ease of Use: Make sure the MFA process is user-friendly.
    2. Utilize Variety of Authentication Factors: Integrate OTPs, biometric methods, and magic links into your MFA flow.
    3. Educate Users on Multi-factor Authentication: Make sure your team understands that MFA is there to support them and protect their accounts.
    4. Use Multi-factor Authentication Across Organization: Apply MFA across all business applications, systems, networks, and processes.

    I hope this helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.