Share via

Azure AD B2C: How to apply MFA with phone or email using custom policy

quân nguyễn 0 Reputation points
2025-02-10T08:39:07.0233333+00:00

Purpose: I want to implement a sign-in flow with 3 options of MFA (phone, email and TOTP).

Problem: when implement this with 2 first MFA options (phone and email). I got below error. Can you please help me verify my Custom policies files.

I uploaded my files here: https://github.com/ndq3004/B2C_CustomPolicy

The policy files were combined with Custom policy starter pack for LocalAccounts and this https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-email-or-phone

Because my account is personal account and I cannot use my company account for testing with the tool in the sample.

Could you kindly provide guidance on the above request?   

Thank you,

Quan

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,750 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Janaki Kota 790 Reputation points Microsoft External Staff
    2025-02-11T11:45:09.34+00:00

    Hello Quan,

    Thank you for reaching out to Microsoft Q&A. 

    We understand that when you are implementing a sign-in flow with 3 options of MFA (phone, email and TOTP) you are encountering the below error with the first 2 MFA options (phone and email).  

    “AADSTS500202: User account '{EUII Hidden}' is a personal Microsoft account, but the client or resource applications do not have direct Microsoft account support enabled. For external account support use the /organizations or the tenanted endpoint”.   

    The error you're encountering, AADSTS500202, indicates that the authentication attempt was made with a personal Microsoft account (e.g., an Outlook or Live account), but the Azure AD B2C tenant is not configured to allow such accounts, or the appropriate endpoint was not used. 

    Your authentication call must target a URL that matches your selection if your app registration's supported account type was set to one of the following values: 

    • Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) 
    • Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) 
    • Personal Microsoft accounts only 

    If you use https://login.microsoftonline.com/<YourTenantNameOrID>, users from other organizations can't access the application. You have to add these users as guests in the tenant that's specified in the request. In that case, the authentication is expected to be run on your tenant only. This scenario causes the sign-in error if you expect users to sign in by using federation with another tenant or identity provider 

    User's image

    Source Document for more information: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50020-user-account-identity-provider-does-not-exist#cause-3-used-the-wrong-endpoint-personal-and-organization-accounts

    Hope this helps. Do let us know if you any further queries.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.