@Sander Koster • Thank you for reaching out.
I tested this scenario in my B2C tenant and below are the steps that I performed to achieve it.
The amr
claim is available only in V1 token, so I used the V1 OIDC metadata endpoint in my technical profile for Federated AAD and captured amr
claim in this technical profile. I then created a Claims Transformation to set extension_AadMfaDone
to true
if the amr
claim contains mfa
in its array. Finally, skipped the MFA orchestration steps if extension_AadMfaDone
is True
(capital T as it is boolean and not a string).
- Add the below claims to your custom policy:
<ClaimType Id="extension_amr"> <DisplayName>amr</DisplayName> <DataType>stringCollection</DataType> <UserHelpText/> </ClaimType> <ClaimType Id="extension_AadMfaDone"> <DisplayName>AadMfaDone</DisplayName> <DataType>boolean</DataType> <UserHelpText/> </ClaimType>
- Add below claims transformation:
<ClaimsTransformation Id="CheckIfAadMfaIsDone" TransformationMethod="StringCollectionContains"> <InputClaims> <InputClaim ClaimTypeReferenceId="extension_amr" TransformationClaimType="inputClaim"/> </InputClaims> <InputParameters> <InputParameter Id="item" DataType="string" Value="mfa"/> <InputParameter Id="ignoreCase" DataType="string" Value="true"/> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="extension_AadMfaDone" TransformationClaimType="outputClaim"/> </OutputClaims> </ClaimsTransformation>
- Update the below parameters under the technical profile that you have added for your federated Azure AD tenant:
1. Remove v2.0 from the OIDC Metadata URL so that you get V1 token as V2 token does NOT include the amr claim. <Item Key="METADATA">https://login.microsoftonline.com/your_tenant.onmicrosoft.com/.well-known/openid-configuration</Item> 2. Add below output claims under the <OutputClaims> of your technical profile: <OutputClaim ClaimTypeReferenceId="extension_amr" PartnerClaimType="amr" /> <OutputClaim ClaimTypeReferenceId="extension_AadMfaDone"/> 3. Add below Output Claim Transformation under <OutputClaimsTransformations> of your technical profile: <OutputClaimsTransformation ReferenceId="CheckIfAadMfaIsDone"/>
- Skip the MFA orchestration steps if extension_AadMfaDone = true as shown below:
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"><OrchestrationStep Order="7" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition>
<Value>extension_AadMfaDone</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"><OrchestrationStep Order="8" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newPhoneNumberEntered</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition>
<Value>extension_AadMfaDone</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.