You may use a workaround as below (There can be another ideas too). The script can be used as the part of onboarding the users
Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true
Apply MFA on force Reset Password on first login
i have applied MFA on sign up only using LocalAndSocialAccountMFA started pack, and also force password reset on first login using gitHub sample: force-password-reset-first-logon
i want to add MFA also when user first login and forced to change his password.
any guide would be much appreciated.
thanks
3 answers
Sort by: Most helpful
-
Manu Philip 18,961 Reputation points MVP
2021-07-12T04:39:16.39+00:00 -
AmanpreetSingh-MSFT 56,731 Reputation points
2021-07-12T16:08:58.583+00:00 Hi @Code Bit · Thank you for reaching out.
Could you please try to add below orchestration steps in the signup/signin user journey (that your RP file is referring to) within B2C_1A_ForcePasswordReset_TrustFrameworkExtensions policy file, just before the last orchestration step which is to issue the JWT token.
<OrchestrationStep Order="8" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" /> </ClaimsExchanges> </OrchestrationStep> <OrchestrationStep Order="9" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newPhoneNumberEntered</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" /> </ClaimsExchanges> </OrchestrationStep>
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
Code Bit 86 Reputation points
2021-07-13T02:41:28.85+00:00 hi @AmanpreetSingh-MSFT , thank for your reply, but i have already implemented the MFA following SocialAndLocalAccountsWithMfa
i wanted to apply MFA only on Signups for this i added newUser precondition in MFA it worked, but when i added another precondition of extension_mustResetPassword for applying MFA on ForesesetPassword on First login
<OrchestrationStep Order="10" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newUser</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions>
it works only if one condition is true in want MFA for both, i wanted:
1: MFA on sign up only
2:no MFA on sign In
3:MFA on first Sign in for force password reset.
what i think newUser attribute and extension_mustResetPassword are conflicting each other as when extension_mustResetPassword is true newUser is false and it skips the MFA.