How can i setup MFA with conditional access for Azure AD B2C using custom flows

Question

How can i setup MFA with conditional access for Azure AD B2C using custom flows

Tom Loder 20

I ma using Azure AD B2C for authentication for our product, but we need to be able to implement MFA.

I want to be able to do two things:

Include the ability to only require MFA for certain users
Enable the ability to remember the device for x days and this means they won't need to repeat MFA on the same browser for x days.

I have been struggling with the XML in the custom flows, but I cannot work out how to implement the condition access with this. I also am unsure how we can add the ability to remember the device.

Has anyone done this using Custom flows in Azure AD B2C?

1 answer

Your answer

Answer 1

Kancharla Saiteja 5,485 Microsoft External Staff Moderator

Hi @Tom Loder,

Based on your query, I understand that you want to set up MFA using conditional access policy for certain users along with 'remember me' option.

As per your query, here is the Microsoft documentation to configure conditional access policy using custom policies: Add Conditional Access to user flows in Azure Active Directory B2C.

To add 'remember me' for your sign in of the user, you need to configure "keep me signed-in" page using the following document: Enable Keep me signed in (KMSI). Please go through the entire document and configure the custom policies accordingly.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Tom Loder 20 Reputation points

2025-06-18T10:44:11.4066667+00:00

Many thanks for your response.

This is not quite what we want to achieve.

We are looking for an option to specify that if a user logs out and then logs in again they will not need to re authenticate using MFA on the same device.

It may be that our users will be happy for this option.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-18T16:51:55.9266667+00:00

Hi @Tom Loder,

By adding 'remember me' for your sign in of the user, you need to configure "keep me signed-in" page using the following document: Enable Keep me signed in (KMSI). Please go through the entire document and configure the custom policies accordingly. This will ensure the user have 90 days of sign in without any multi factor authentication. The days can be specified by you as per your requirement.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-19T16:37:36.04+00:00

Hi @Tom Loder,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Tom Loder 20 Reputation points

2025-06-20T07:14:59.2733333+00:00

It was helpful but not what we are after. Specifically we want to enable our users to be able to log out and log in again without having to use MFA if they are on the same device. So an option to "Trust this device" or Remember this device to avoid MFA when they log in and out.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-20T23:09:34.8633333+00:00

Hi @Tom Loder,

Since Azure B2C do not have any capabilities of device registration or device information stats, it cannot have an option of 'remember this device to avoid MFA while login'. In order to overcome such kind of situation, B2C has been provided with remember me option to keep the credentials active on the device as per the customer requirement. This 'remember me' works same as remembering MFA as it stores the persistent cookies which helps the user for direct sign in instead of going through MFA while authentication. The working principal of both the features are nearly same which is the reason I have suggested to perform the configuration of 'remember me'.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Tom Loder 20 Reputation points

2025-06-23T07:12:57.4033333+00:00

Thanks. I am assuming though that with the KMSI principal means that when they log out they will always need to use MFA on their next login.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-23T17:11:57.44+00:00

Hi @Tom Loder,

KMSI page will actually manages the session and that is how the user credentials are managed here. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-24T19:36:27.03+00:00

Hi @Tom Loder,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator

2025-06-26T22:26:19.4033333+00:00

Hi @Tom Loder,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How can i setup MFA with conditional access for Azure AD B2C using custom flows

1 answer

Your answer