Handling Unused Verification Codes in Microsoft Entra External ID.

Aakash Goswami 25 Reputation points
2024-11-07T09:01:55.3266667+00:00

In Microsoft Entra External ID, we’ve noticed that unused verification codes generated for sign-up and two-factor authentication can still be used in two scenarios, even after a new code has been requested:

  1. During the same registration/login attempt.
  2. When the current registration/login process is canceled, and a new one is initiated.

While used codes are correctly blocked from reuse, unused codes remain valid and can be reused across new registration or login attempts.

Could you please clarify:

  • Whether it’s possible to restrict the usage of old, unused codes in new registration or login attempts.
  • If there’s a way to invalidate all previous codes whenever a new code is generated.
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,729 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,956 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,176 Reputation points Microsoft Employee
    2024-11-26T08:13:36.11+00:00

    Hi @Aakash Goswami ,

    Thanks for reaching out.

    This is expected behavior as it is built-in functionality, and we cannot restrict the usage of old codes. However, each code can only be used once and will expire after 30 minutes if not used."

    User's image

    Hope this will help.

    Thanks,

    Shweta

    Please "Accept the answer" if above answer helps you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.