Azure B2C Custom Policy with Conditional Policy for Risky Sign Ins and enabling MFA

Question

Hi ,

We are trying to achieve the implementation of conditional access policies in our Azure B2C Custom Policy for risky sign ins. Depending on the Risk we will enable MFA for those users. We came across below MSFT Link which in turn points to below Git Hub Sample Policy.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-custom-policy#add-conditional-access-to-your-policy

https://github.com/azure-ad-b2c/samples/tree/master/policies/conditional-access

But the samples given in above Git Hub link is incomplete. There are lots of validation errors in it and missing referenced Technical Profiles such as PhoneFactor-InputOrVerify. Can someone help to point to a correct GitHub Sample Policy that is fully complete and shows how to step by step do it ?

Answer 1

Hi @Raja Pothuraju

The example you show above does make a reference to PhoneFactor-InputOrVerify but the definition of it is missing in the same xml file. When you upload that file as-is , it gives an error "PhoneFactor-InputOrVerify" definition is missing.

It was after so much research that I was able to figure out that above Git Sample takes its base foundation from another Git Sample which is :
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsWithMfa

So basically, we have to implement the base foundation first and then refer conditional access policies git sample. I guess the documentation / samples could be explained all of these in some simple steps so that it's not too confusing. For now, the simple answer to my above question is the combination of below 2 documents:

https://github.com/azure-ad-b2c/samples/tree/master/policies/conditional-access

https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsWithMfa

Answer 2

Hi @Harjani, Ashish,I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Azure B2C Custom Policy with Conditional Policy for Risky Sign Ins and enabling MFA.

Solution: Resolved by @Harjani, Ashish

Below are the steps followed by @Harjani, Ashish

The Git Sample takes its base foundation from another Git Sample which is : https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsWithMfa

So basically, we have to implement the base foundation first and then refer conditional access policies git sample. I guess the documentation / samples could be explained all of these in some simple steps so that it's not too confusing. For now, the simple answer to my above question is the combination of below 2 documents:

https://github.com/azure-ad-b2c/samples/tree/master/policies/conditional-access

https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsWithMfa

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Thanks,
Raja Pothuraju.