Hello Ray
Enforcing MFA for VPN Users:
Microsoft Entra ID integrates directly with VPNs to enable multi-factor authentication (MFA), adding a second layer of security to sign-up and sign-in experiences.
You can configure MFA on a per-user basis or leverage MFA via Conditional Access.
Restricting Authentication Methods in B2C:
Azure Active Directory B2C (Azure AD B2C) offers multiple methods for multi-factor authentication, including email, SMS, phone call, and authenticator app. However, it seems there's no direct way to restrict users from adding specific sign-in methods. You might need to handle this from the application side or use custom policies.
Blocking External Users from Adding Sign-In Methods:
There's no direct method to restrict users from adding private accounts. However, you can try disabling the access to add accounts after the user adds the work accounts. Another approach is to limit the number of accounts that a user can add in the client app.
Best Practices for MFA I'd suggest:
- Focus on Ease of Use: Make sure the MFA process is user-friendly.
- Utilize Variety of Authentication Factors: Integrate OTPs, biometric methods, and magic links into your MFA flow.
- Educate Users on Multi-factor Authentication: Make sure your team understands that MFA is there to support them and protect their accounts.
- Use Multi-factor Authentication Across Organization: Apply MFA across all business applications, systems, networks, and processes.
I hope this helps.