Azure b2c login: after logout, user is asked for email and password but not asking for further steps like MFA/email verification.

Question

Azure b2c login: after logout, user is asked for email and password but not asking for further steps like MFA/email verification.

Urmila Purohit 20

Hii team,
I have created azure b2c custom policy for login. Policy workflow is like: user add email and password, further user have to choose MFA or email verification option. user can go with either of them and if provide correct code the user will be able to login. User is also able to logout.

When user try to login after logout then user has to provide email and password (which is working fine) but further user is not ask for MFA/email verification. MFA/email verification is skipped and user is able to login.
How can I make sure that every time after logout, user has to follow complete login flow which include the email & password >> MFA/email verification >> successful login.

Please guide me to solve this issue

Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-26T07:50:44.63+00:00
Hi @Urmila Purohit,

Based on your query, I understand that you have not prompted for MFA while reauthentication to the application.

If you are trying to sign in immediately after logout of your application, it may not prompt you for the MFA details because token might be stored in cookies. Please wait for a while and try authentication again.

Whenever you select "keep me signed in" as "Yes", this might store the user details which might also impact in the MFA authentication of the user.

Now when it comes to user session management using custom policies, whenever you logout from an application, user will be only logged out of the application but not from the session. In order to overcome this, could you please check the single sign on scope for the application:

<RelyingParty> <DefaultUserJourney ReferenceId="SignUpOrSignIn" /> <Endpoints> <Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" /> </Endpoints> <UserJourneyBehaviors> <SingleSignOn Scope="Application"/> <SessionExpiryType>Absolute</SessionExpiryType> <SessionExpiryInSeconds>1200</SessionExpiryInSeconds> <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="c41fe117-3e90-4178-952e-adf47d51fbf2" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" /> <ScriptExecution>Allow</ScriptExecution> </UserJourneyBehaviors>

If you have configured this <SingleSignOn Scope="Application"/> then only the application gets logged out of the application, but this is not enough to clear the cookies or end session with the user. Make sure the session expiry type has been mentioned to Absolute which will force the re authentication after the session expiry. You can use this document as reference.

Kindly change the following scope of the single sign on to Tenant or policy which will be as follows:

<SingleSignOn Scope="Tenant"/>

To end the session completely, you need to configure your claims provider technical profiles as follows:

The protocol name, such as <Protocol Name="OpenIdConnect" />

The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />

Please do configure the technical profiles using the following document: Single sign-out.

If this does not help you, modify your URL with &prompt=login. which will force you to login to the application every time.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Urmila Purohit 20 Reputation points

2025-03-26T10:18:20.17+00:00
Hii @Kancharla Saiteja ,
Thanks for reply. below is RP that I am using currently in my b2c policy:
I have also took help of https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-your-custom-policy to configure the technical profiles but not working. can you please tell me that do I need to add the reference of UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> everywhere in code wherever I am using technical profile?

Please lemme know your answer in detail

 <SingleSignOn Scope="Tenant" /> <SessionExpiryType>Absolute</SessionExpiryType> <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-26T10:40:34+00:00

Hi @Urmila Purohit,

Yes, you need to add UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> to make sure the authentication support single sign out which make sure there is no active session of the user.

Please add the required information and let me know the results.
Urmila Purohit 20 Reputation points

2025-03-26T12:51:19.9533333+00:00

devaiadb2c.onmicrosoft.com-B2C_1A_TRUSTFRAMEWORKEXTENSIONS_TOTP_TEST_URU.xml
I have added UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> in the above file that I am using still not asking for MFA/email verification after email and password. Please go through it and let me know if you have any suggestions.
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-26T12:55:57.23+00:00

Hi @Urmila Purohit,

Could you please confirm that you have used sign out URL for the application to make sure you sign out from the entire session. Please check the following document as reference: Send a sign-out request.

Let me know the results by responding to this thread.

Thank you,

Saiteja K.

Accepted answer

0 additional answers

Your answer

Urmila Purohit 20 Reputation points

2025-03-26T10:18:20.17+00:00

Hii @Kancharla Saiteja ,
Thanks for reply. below is RP that I am using currently in my b2c policy:
I have also took help of https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-your-custom-policy to configure the technical profiles but not working. can you please tell me that do I need to add the reference of UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> everywhere in code wherever I am using technical profile?

Please lemme know your answer in detail

 <SingleSignOn Scope="Tenant" /> <SessionExpiryType>Absolute</SessionExpiryType> <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-26T10:40:34+00:00

Hi @Urmila Purohit,

Yes, you need to add UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> to make sure the authentication support single sign out which make sure there is no active session of the user.

Please add the required information and let me know the results.
Urmila Purohit 20 Reputation points

2025-03-26T12:51:19.9533333+00:00

devaiadb2c.onmicrosoft.com-B2C_1A_TRUSTFRAMEWORKEXTENSIONS_TOTP_TEST_URU.xml
I have added UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" /> in the above file that I am using still not asking for MFA/email verification after email and password. Please go through it and let me know if you have any suggestions.
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-26T12:55:57.23+00:00

Hi @Urmila Purohit,

Could you please confirm that you have used sign out URL for the application to make sure you sign out from the entire session. Please check the following document as reference: Send a sign-out request.

Let me know the results by responding to this thread.

Thank you,

Saiteja K.

Answer 1

Kancharla Saiteja 3,480 Microsoft External Staff

Hi @Urmila Purohit,

We have come across your custom policy and found the following user journey with orchestration step:

     <!-- OrchestrationStep added for user's choice start -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>extension_mfaByMFAOrEmail</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- OrchestrationStep added for user's choice end -->

This orchestration step is validating your claims of MFA whether it has been provided previously or not. Since you have already provided in the first sign in, so it is skipping the MFA in you re authentication. I would recommend checking on this and change it accordingly which make sure the user provide MFA for re authentication as well.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-28T03:39:59.1166667+00:00

Hi @Urmila Purohit,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Urmila Purohit 20 Reputation points

2025-03-31T05:45:25.6266667+00:00
Hii @Kancharla Saiteja ,

I have tried to modify the above step by removing the preconditions but while login for the first time it is following both MFA and email. After logout while try to login, it is skipping the MFA and email:

I have also tried looking into this step, I changed the condition to false from true which should be result into asking for TOTP and Email Otp which is working fine but after logout if I re-login then it does not ask for either TOTP or Email.

<OrchestrationStep Order="5" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" /> </ClaimsExchanges> </OrchestrationStep>
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-03-31T18:16:35.98+00:00

Hi @Urmila Purohit,

Since you would like to make the user re authenticate with user credentials and MFA, may I know what the purpose is in using the Orchestration steps for Claims exist. You can remove that particular order and its dependent profiles and try the authentication. Else, you can use InvokeSubJourney which prompts for MFA using the order if the claim exist is equal to true.

Thanks,

Saiteja K.
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-04-01T17:05:15.0266667+00:00

Hi @Urmila Purohit,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Kancharla Saiteja 3,480 Reputation points Microsoft External Staff

2025-04-03T00:52:26.2+00:00

Hi @Urmila Purohit,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Urmila Purohit 20 Reputation points

2025-04-03T07:13:05.7566667+00:00

Hii @Kancharla Saiteja ,
I finally fount the issue, Actually our application code was using static value to link the b2c policy after logout. static link was referring to the old policy which do not has MFA/Email selection option. I update that link with latest b2c policy. Now, everything is working fine.

Thanks for help.

Share via

Azure b2c login: after logout, user is asked for email and password but not asking for further steps like MFA/email verification.

0 additional answers

Your answer