Azure AD B2C User Account Recovery Code

Question

Azure AD B2C User Account Recovery Code

Ashish Raj 96

We have setup Azure AD B2C login for our application. Currently we have setup custom policies for Signin Signup using TOTP MFA which is working fine. We want to implement a recovery code functionality using which user can download recovery code during signup or later from their profile and can use for login in the event when they do not have access to the Authenticator device due to any reasons.

We went through Azure B2C docs but could not find any reference to achieve this. Is it possible to achieve this using Azure AD B2C or using any partner integration?

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2024-04-02T21:33:23.4033333+00:00

Hi @Ashish Raj , I am looking into this question and will get back to you.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2024-04-02T23:32:33.7333333+00:00

Hi @Ashish Raj

There isn't a B2C specific option for "in advance" recovery codes that I'm aware of, though I'm checking with the product team to confirm this. For Microsoft accounts specifically, users can download the recovery code from account.microsoft.com > Select your Avatar/Name> My Microsoft Account>Security>Advanced Security Options

For B2C recovery codes, the default lifetime is five minutes. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid#add-azure-ad-b2c-claim-types

You could also create some custom recovery options using Graph API. You could get the user's email address which is registered with B2C and send the user an email with a code to confirm that the user owns the email using the OTP code. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy#add-otp-technical-profiles

Then you could query the Graph API for the list of users and search for the provided e-mail.

1 answer

Your answer

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2024-04-02T21:33:23.4033333+00:00

Hi @Ashish Raj , I am looking into this question and will get back to you.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2024-04-02T23:32:33.7333333+00:00

Hi @Ashish Raj

There isn't a B2C specific option for "in advance" recovery codes that I'm aware of, though I'm checking with the product team to confirm this. For Microsoft accounts specifically, users can download the recovery code from account.microsoft.com > Select your Avatar/Name> My Microsoft Account>Security>Advanced Security Options

For B2C recovery codes, the default lifetime is five minutes. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid#add-azure-ad-b2c-claim-types

You could also create some custom recovery options using Graph API. You could get the user's email address which is registered with B2C and send the user an email with a code to confirm that the user owns the email using the OTP code. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy#add-otp-technical-profiles

Then you could query the Graph API for the list of users and search for the provided e-mail.

Answer 1

Hi @Ashish Raj ,

I have received confirmation that we do not have a feature like recovery code in B2C and we will not have it in the future.

If your end goal is to add more MFA flexibility to users, one suggestion is that you could add multiple MFA methods at the same time during user registration and the user can choose any one of these to pass MFA.

For example, users can register multiple MFA methods during sign-up. And during sign-in, if they lost the Authenticator app they could still use either phone call/SMS code or email OTP or partner MFA to pass it.

Here is an example code you could reference:

https://github.com/azure-ad-b2c/samples/blob/master/policies/mfa-email-or-ph

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

Share via

Azure AD B2C User Account Recovery Code

1 answer

Your answer