This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have setup Azure AD B2C login for our application. Currently we have setup custom policies for Signin Signup using TOTP MFA which is working fine. We want to implement a recovery code functionality using which user can download recovery code during signup or later from their profile and can use for login in the event when they do not have access to the Authenticator device due to any reasons.
We went through Azure B2C docs but could not find any reference to achieve this. Is it possible to achieve this using Azure AD B2C or using any partner integration?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Ashish Raj , I am looking into this question and will get back to you.
Hi @Ashish Raj
There isn't a B2C specific option for "in advance" recovery codes that I'm aware of, though I'm checking with the product team to confirm this. For Microsoft accounts specifically, users can download the recovery code from account.microsoft.com > Select your Avatar/Name> My Microsoft Account>Security>Advanced Security Options
For B2C recovery codes, the default lifetime is five minutes. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid#add-azure-ad-b2c-claim-types
You could also create some custom recovery options using Graph API. You could get the user's email address which is registered with B2C and send the user an email with a code to confirm that the user owns the email using the OTP code. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy#add-otp-technical-profiles
Then you could query the Graph API for the list of users and search for the provided e-mail.
Hi @Ashish Raj ,
I have received confirmation that we do not have a feature like recovery code in B2C and we will not have it in the future.
If your end goal is to add more MFA flexibility to users, one suggestion is that you could add multiple MFA methods at the same time during user registration and the user can choose any one of these to pass MFA.
For example, users can register multiple MFA methods during sign-up. And during sign-in, if they lost the Authenticator app they could still use either phone call/SMS code or email OTP or partner MFA to pass it.
Here is an example code you could reference:
https://github.com/azure-ad-b2c/samples/blob/master/policies/mfa-email-or-ph
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.