Restrict Authentication Method Used by B2C users

Ray 0 Reputation points Microsoft Employee
2024-02-29T09:33:26.3033333+00:00

Customer is leveraging Entra ID B2C feature and want to enforce MFA when users connect to the VPN. Customer wants that when doing MFA, only internal users can be able to use Microsoft Authenticator as 2nd factor, for external users, only SMS will be possible. Is it possible to block external users for adding sign-in methods (for example from https://aka.ms/mysecurityinfo) so that only the allowed methods required by the customer can be used? I'm looking for some recommendations and best practices to achieve that.

Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-02-29T23:43:16.8633333+00:00

    Hi @Ray ,

    You can leverage Conditional Access to enforce Authenticator for some users and SMS for others. https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-user-flow#verification-methods

    The B2C MFA methods need to be configured via custom policy and you need to use the TOTP custom policy to implement the Authenticator app for customers. https://github.com/azure-ad-b2c/samples/tree/master/policies/totp

    (See also the example [here]

    (https://stackoverflow.com/questions/76040239/allowing-multiple-user-selectable-mfa-registration-methods-with-azure-ad-b2c-us).)


  2. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-03-01T19:26:50.7433333+00:00

    Hello Ray

    Enforcing MFA for VPN Users:

    Microsoft Entra ID integrates directly with VPNs to enable multi-factor authentication (MFA), adding a second layer of security to sign-up and sign-in experiences.

    You can configure MFA on a per-user basis or leverage MFA via Conditional Access.

    Restricting Authentication Methods in B2C:

    Azure Active Directory B2C (Azure AD B2C) offers multiple methods for multi-factor authentication, including email, SMS, phone call, and authenticator app. However, it seems there's no direct way to restrict users from adding specific sign-in methods. You might need to handle this from the application side or use custom policies.

    Blocking External Users from Adding Sign-In Methods:

    There's no direct method to restrict users from adding private accounts. However, you can try disabling the access to add accounts after the user adds the work accounts. Another approach is to limit the number of accounts that a user can add in the client app.

    Best Practices for MFA I'd suggest:

    1. Focus on Ease of Use: Make sure the MFA process is user-friendly.
    2. Utilize Variety of Authentication Factors: Integrate OTPs, biometric methods, and magic links into your MFA flow.
    3. Educate Users on Multi-factor Authentication: Make sure your team understands that MFA is there to support them and protect their accounts.
    4. Use Multi-factor Authentication Across Organization: Apply MFA across all business applications, systems, networks, and processes.

    I hope this helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.