question

VasiliiAleksandrov-2407 avatar image
0 Votes"
VasiliiAleksandrov-2407 asked MantravadiPhani-9524 edited

MFA session doesn't work in Azure B2C custom policy

I used a b2c starter pack to create my MFA B2C sign in policy with phone number as a factor. But for some reason it doesn't work as expected. First time when I sign in it work fine - the policy is asking me to verify my sign in via SMS and then I got a token. But when I run the flow immediately after my 1st sign in, it shows the same phone verification page while it shouldn't. I expect that it should silently sign me in without phone verification. So looks like MFA session is invalid. How to fix that?

azure-ad-b2cazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bhanote avatar image
1 Vote"
bhanote answered VasiliiAleksandrov-2407 commented

Hi, I would recommend to Evaluate session lifetime policies, please use below URL for reference:-

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime


In case after following the steps, still issue persists, please do mention.

Thanks,
Ravi

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe the link you gave me is only applicable to a regular Azure Active Directory not to Azure AD B2C. My case is Azure AD B2C. Could you clarify? Thanks!

0 Votes 0 ·
amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered Deepak-9792 commented

Hi @VasiliiAleksandrov-2407

The SocialAndLocalAccountsWithMfa starter pack by default includes the Sessions Manager technical profile which facilitates SSO if you have already signed into the same browser session. However, if your authentication request includes prompt=login parameter you will be forced to perform login again regardless of whether you have an active session and session cookie or not.

If you are using the Run Now endpoint, prompt=login parameter is specified by default at the end of the URL. If you have an active session and you try to sign-in using custom policy in a new tab within same browser session without prompt=login, you will be directly signed-in without having to enter the credentials and perform MFA again.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft
Thank you for the answer. However even though I remove prompt=login is's still not working and I got the same MFA page when logging in second time. But I don't need to enter a username and password. Do you have any other suggestions?

0 Votes 0 ·

Hi @VasiliiAleksandrov-2407 Please add <IncludeTechnicalProfile ReferenceId="SM-MFA" /> to SM-AAD technical profile in the TrustFrameworkBase file as highlighted below and test again.

19150-image.png



2 Votes 2 ·
image.png (31.4 KiB)

Hi @VasiliiAleksandrov-2407 Have you had a chance to test it out?

1 Vote 1 ·
Show more comments
anomepani avatar image
0 Votes"
anomepani answered clnorris commented

@amanpreetsingh-msft
For mfa-email-or-phone custom policy how to configure MFA Session to skip MFA Prompt for Every sign in?

When I am testing Policy on Azure AD B2C Portal it will always prompt MFA dialog for both Email and Phone method,
How can we configure and Test MFA Session?

I am not sure what I am missing.

Thanks in advance for any suggestion


· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@anomepani I've asked the same question and still didn't get an answer. I've also asked MS Support to help me with that. Their answer was like 'Its behavior is expected'. I am still not sure why it's expected and why the user should enter the code every time. I don't think it's correct.
Please, let me know if you solved the problem somehow.

0 Votes 0 ·

I've seen the same behavior and added the following line to the AAD-UserReadUsingObjectId:

 <OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />

The issue is that the session manager relies on the Verified.strongAuthenticationPhoneNumber, which is not set when reading data from the directory. I've raised this issue last year in the advisors group, but haven't seen a follow up.


0 Votes 0 ·

@TaekeKooiker-0673 Thank you for your comment. But adding this like doesn't help in my case. Any other ideas?

0 Votes 0 ·
Show more comments
clnorris avatar image clnorris TaekeKooiker-0673 ·

I can confirm that adding the code:

<OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />

To the default policies works.

0 Votes 0 ·
anomepani avatar image
0 Votes"
anomepani answered

Hi @VasiliiAleksandrov-2407 ,
If possible could you please share your custom azure ad b2c policy.

So, I can take a look and try atleast some configuration my policy to test MFA behaviour.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MantravadiPhani-9524 avatar image
0 Votes"
MantravadiPhani-9524 answered MantravadiPhani-9524 edited

Great topic and awesome responses.

Is there a way to invoke MFA separately after login?

When user tries to access specific features I'd like to invoke the MFA step again. Is that possible to do using AD B2C Custom policies? I'm trying to invoke MFA only for specific parts of my application. I'd like my user to be able login based on password + mfa that only allows read-only access to more secure aspects of the site.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.