Apply MFA on force Reset Password on first login

Code Bit 81 Reputation points

i have applied MFA on sign up only using LocalAndSocialAccountMFA started pack, and also force password reset on first login using gitHub sample: force-password-reset-first-logon

i want to add MFA also when user first login and forced to change his password.

any guide would be much appreciated.

Azure Active Directory External Identities
{count} votes

3 answers

Sort by: Most helpful
  1. Manu Philip 14,371 Reputation points MVP

    You may use a workaround as below (There can be another ideas too). The script can be used as the part of onboarding the users
    Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

  2. AmanpreetSingh-MSFT 55,431 Reputation points

    Hi @Code Bit · Thank you for reaching out.

    Could you please try to add below orchestration steps in the signup/signin user journey (that your RP file is referring to) within B2C_1A_ForcePasswordReset_TrustFrameworkExtensions policy file, just before the last orchestration step which is to issue the JWT token.

    <OrchestrationStep Order="8" Type="ClaimsExchange">  
                <Precondition Type="ClaimsExist" ExecuteActionsIf="true">  
                <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />  
            <OrchestrationStep Order="9" Type="ClaimsExchange">  
                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">  
                <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />  


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  3. Code Bit 81 Reputation points

    hi @AmanpreetSingh-MSFT , thank for your reply, but i have already implemented the MFA following SocialAndLocalAccountsWithMfa
    i wanted to apply MFA only on Signups for this i added newUser precondition in MFA it worked, but when i added another precondition of extension_mustResetPassword for applying MFA on ForesesetPassword on First login
    <OrchestrationStep Order="10" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newUser</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> it works only if one condition is true in want MFA for both, i wanted:
    1: MFA on sign up only
    2:no MFA on sign In
    3:MFA on first Sign in for force password reset.
    what i think newUser attribute and extension_mustResetPassword are conflicting each other as when extension_mustResetPassword is true newUser is false and it skips the MFA.