Apply MFA on force Reset Password on first login

Code Bit 81 Reputation points
2021-07-12T04:08:12.053+00:00

i have applied MFA on sign up only using LocalAndSocialAccountMFA started pack, and also force password reset on first login using gitHub sample: force-password-reset-first-logon

i want to add MFA also when user first login and forced to change his password.

any guide would be much appreciated.
thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,629 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Manu Philip 16,956 Reputation points MVP
    2021-07-12T04:39:16.39+00:00

    You may use a workaround as below (There can be another ideas too). The script can be used as the part of onboarding the users
    Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true


  2. AmanpreetSingh-MSFT 56,301 Reputation points
    2021-07-12T16:08:58.583+00:00

    Hi @Code Bit · Thank you for reaching out.

    Could you please try to add below orchestration steps in the signup/signin user journey (that your RP file is referring to) within B2C_1A_ForcePasswordReset_TrustFrameworkExtensions policy file, just before the last orchestration step which is to issue the JWT token.

    <OrchestrationStep Order="8" Type="ClaimsExchange">  
              <Preconditions>  
                <Precondition Type="ClaimsExist" ExecuteActionsIf="true">  
                  <Value>isActiveMFASession</Value>  
                  <Action>SkipThisOrchestrationStep</Action>  
                </Precondition>  
              </Preconditions>  
              <ClaimsExchanges>  
                <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />  
              </ClaimsExchanges>  
            </OrchestrationStep>  
      
            <OrchestrationStep Order="9" Type="ClaimsExchange">  
              <Preconditions>  
                <Precondition Type="ClaimsExist" ExecuteActionsIf="false">  
                  <Value>newPhoneNumberEntered</Value>  
                  <Action>SkipThisOrchestrationStep</Action>  
                </Precondition>  
              </Preconditions>  
              <ClaimsExchanges>  
                <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />  
              </ClaimsExchanges>  
            </OrchestrationStep>  
    

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. Code Bit 81 Reputation points
    2021-07-13T02:41:28.85+00:00

    hi @AmanpreetSingh-MSFT , thank for your reply, but i have already implemented the MFA following SocialAndLocalAccountsWithMfa
    i wanted to apply MFA only on Signups for this i added newUser precondition in MFA it worked, but when i added another precondition of extension_mustResetPassword for applying MFA on ForesesetPassword on First login
    <OrchestrationStep Order="10" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newUser</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> it works only if one condition is true in want MFA for both, i wanted:
    1: MFA on sign up only
    2:no MFA on sign In
    3:MFA on first Sign in for force password reset.
    what i think newUser attribute and extension_mustResetPassword are conflicting each other as when extension_mustResetPassword is true newUser is false and it skips the MFA.

    0 comments No comments