Overview:
Our team recently created a "Microsoft Entra ID for Customers" resource which we are attempting to configure for our use case. For said use case, multi-factor authentication is required and needs to be configured the first time a customer logs in. Currently, we create a User (Customer template) via the Graph API and assign said user an email and password then share those credentials with our customer. When they log in for the first time, a "We couldn't sign you in - An additional verification method is required to access this site or app." message appears, halting the user flow. Our understanding is that this message appears because MFA is required and the user has no configured MFA method. Our expectation is that an MFA configuration wizard should be launched whenever this occurs.
Steps Taken:
After looking through the existing Entra ID documentation, we stumbled upon the following article which seemed to perfectly encapsulate the problem we needed to solve and prescribed a solution to it:
https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta#require-re-register-multifactor-authentication
In the above article, it's stated that users can set up a new MFA method the next time they sign in if no authentication methods exist for said user. After making a GET request on the newly-created user's authentication methods, we noticed that the user had no configured authentication methods (except password). Given that no documented way exists to delete the password authentication method, we didn't know how else to proceed.
As a temporary solution, we prescribed an authentication method of email for the customer which functioned as expected. With this solution, the customer is asked to provide a one-time email code whenever they sign-in and the user flow is no longer halted.
In case it's useful, we are testing this user flow via the Entra admin center's "Run User Flow" tester which is also where we've encountered the aforementioned problems.
Problem & Assistance Needed:
Given the above information, if a customer only has an authentication method of "password," shouldn't they be prompted to configure a new MFA method? If not, is it because the password authentication method still exists? Could this be an issue in how we've configured MFA within the Entra admin center? Our desire is for customers to be able to configure the MFA method of their choice when logging in for the first time.
Thanks so much for any help, guidance, or direction!