This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am currently trying to wrap my head around an issue.
I have a B2C tenant set up with custom policies that uses a multi tenant AD connection as described in the MS docs here: identity-provider-azure-ad-multi-tenant.
In turn, I have connected the B2C tenant to a PowerApps Portal as instructed here: configure-azure-ad-b2c-provider.
I know I can setup MFA in the custom policy to make sure that users signing up and signing in are forced to use MFA.
What I want however is to check if the AD users signing up and signing in already have MFA setup on their AD account or not.
If I can do that in my B2C custom policy, I can make sure that we only let in users who have setup MFA in their AD tenant while at the same time preventing users from having to use MFA twice when signing up/signing in to the B2C tenant (once in their AD and once in my B2C).
I would then need a form of conditional access in which I would only allow signup/signin for users who have MFA setup in their AD tenant and blocking users when they dont.
I know that in OpenID Connect there is an amr claim that I can add to the ID Token but as far as I can tell this claim is not available to be used/read in B2C (and so I can't add this claim to the claimsbag in my custom policy). I am aware of this long running thread on Github, regarding the lack of an amr claim in the Microsoft Identity Platform. I am not entirely sure yet if this means B2C can't read/display this claim in a token though.
I cannot imagine that the only option would be to enforce MFA in the B2C for all AD users seeing as though for most of those users this would mean that they would be prompted for MFA twice in a row when signing up/signing in.
Any help/advice regarding this subject would be very much appreciated.
@Sander Koster • Thank you for reaching out.
I tested this scenario in my B2C tenant and below are the steps that I performed to achieve it.
The amr claim is available only in V1 token, so I used the V1 OIDC metadata endpoint in my technical profile for Federated AAD and captured amr claim in this technical profile. I then created a Claims Transformation to set extension_AadMfaDone to true if the amr claim contains mfa in its array. Finally, skipped the MFA orchestration steps if extension_AadMfaDone is True (capital T as it is boolean and not a string).
<ClaimType Id="extension_amr">
<DisplayName>amr</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText/>
</ClaimType>
<ClaimType Id="extension_AadMfaDone">
<DisplayName>AadMfaDone</DisplayName>
<DataType>boolean</DataType>
<UserHelpText/>
</ClaimType>
<ClaimsTransformation Id="CheckIfAadMfaIsDone" TransformationMethod="StringCollectionContains">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_amr" TransformationClaimType="inputClaim"/>
</InputClaims>
<InputParameters>
<InputParameter Id="item" DataType="string" Value="mfa"/>
<InputParameter Id="ignoreCase" DataType="string" Value="true"/>
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_AadMfaDone" TransformationClaimType="outputClaim"/>
</OutputClaims>
</ClaimsTransformation>
1. Remove v2.0 from the OIDC Metadata URL so that you get V1 token as V2 token does NOT include the amr claim.
<Item Key="METADATA">https://login.microsoftonline.com/your_tenant.onmicrosoft.com/.well-known/openid-configuration</Item>
2. Add below output claims under the <OutputClaims> of your technical profile:
<OutputClaim ClaimTypeReferenceId="extension_amr" PartnerClaimType="amr" />
<OutputClaim ClaimTypeReferenceId="extension_AadMfaDone"/>
3. Add below Output Claim Transformation under <OutputClaimsTransformations> of your technical profile:
<OutputClaimsTransformation ReferenceId="CheckIfAadMfaIsDone"/>
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<OrchestrationStep Order="8" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>newPhoneNumberEntered</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@Sander Koster • Just following up if you had a chance to test it out?
My apologies for the late response. When logged out, the interface does not show that this question got a response so I completely missed it.
First of all I want to thank you for the extensive work you have put in this answer; I was aware that it was possible using the V1 token but to see the actual methodology is very helpful.
Sadly though, the choice was made to not use the V1 endpoints because it is not seen as future proof.
It is recommended that we use V2 endpoints exclusively and we have chosen to follow up on that advice for now.
I want to thank you for the help and detailed instructions. I will definitely use concepts in your code to tackle other scenarios in the future.
*EDIT: I have found that the web apps registered in the b2c tenant (like for instance the IEF Test App that is used to redirect to jwt.ms) can't accept V1 tokens anymore.
This means that when I remove the "v2.0" from the OIDC Metadata URL, that I get an invalid issuer error once I run the signup/signin policy.
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
I have looked into changing the PartnerClaimType of issuerUserId to sub but that did not help either seeing as though the application expects an issuer with V2 endpoint.
@Sander Koster • You don't need to make any changes to the B2C app and keep using V2 endpoint. Just make the changes to the OIDC metadata endpoint in the Technical Profile that you have for the federated Azure AD tenant. Also, make sure that the app (whose client id you have specified in the Technical Profile) is configured as Single-Tenant app.
We are using multi tenancy to give access to a multitude of AD tenants. This means that the app registration (with client id referenced in Technical Profile) has to be Multi-Tenant.
Would the above mentioned approach then only work with Single-Tenant AD connections?
Also, would I also not need to initialize the CheckIfAadMfaIsDone somewhere?
Was thinking of placing <OutputClaimsTransformation ReferenceId="CheckIfAadMfaIsDone" /> in the technical profile of the OIDC claimsprovider but of course I still can't get passed the issuer error.
@Sander Koster • If you are using multi-tenancy, you can create a multi-tenant app but make sure you select Accounts in any organizational directory (Any Azure AD directory - Multitenant) option and NOT the "Multitenant and personal Microsoft accounts" option.
Yes, you need to place <OutputClaimsTransformation ReferenceId="CheckIfAadMfaIsDone" /> in the technical profile of the OIDC claims provider. Sorry I missed mentioning it in my answer earlier but I have updated the third code snippet now with this information.
@Sander Koster • Were you able to get it working?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 57.99999999999999%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
We have a similar requirement but are required to use the "Multitenant and personal Microsoft accounts" option, as we like to support Microsoft accounts for our customers. What we've discovered, is the fact, that the AAD access token actually contains the arm claim. The access token can be copied to a claim by accessing via PartnerClaimType="{oauth2:access_token}". How could we extract the "arm" claim from the access token. We've already tried to use an OrchestrationStep with GetClaims, but had no luck.
Hi @Daniel Bitterlich • Just confirming, you are talking about amr claim and not a different claim name arm.
When you use PartnerClaimType="{oauth2:access_token}", it will store the entire access token in the attribute defined in your custom policy. Rather than parsing this Access Token, I would suggest you create an extension attribute in B2C:
<ClaimType Id="extension_amr">
<DisplayName>amr</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText/>
</ClaimType>
Then update the technical profile that you have for the Azure AD tenant (with "Multitenant and personal Microsoft accounts" app), with below output claim:
<OutputClaim ClaimTypeReferenceId="extension_amr" PartnerClaimType="amr" />
This will add the value of the amr claim from the Azure AD Access Token to extension_amr attribute and add it to the claims bag. You can then use it in any OrchestrationStep within the user journey or pass it to the application as a claim withing the token issued by the B2C tenant.
Hi @AmanpreetSingh-MSFT
Thanks for your answer. Of course it was a spelling error, I'm talking about the amr claim.
To clarify, the OutputClaim statement does collect the claims from both tokens supplied by Azure AD?
Because the claim is not in the ID Token of Azure AD.
I'll try your suggestion and reply with the result.
@Daniel Bitterlich • The amr claim is available in both ID and Access tokens. The only thing to keep in mind is that you have to use V1 endpoint so that you get V1 token. Please refer to this sample auth request that uses V1 endpoint (no V2.0 mentioned in the URL).
To test this, If you access this URL and click on No account? create one! link and sign-in with your Microsoft Account, you will get the ID token with amr claim after successful signup.
@AmanpreetSingh-MSFT - I thought v1 Endpoint is not possible for our setup with Multitenant and personal Microsoft accounts.
If you are using multi-tenancy, you can create a multi-tenant app but make sure you select Accounts in any organizational directory (Any Azure AD directory - Multitenant) option and NOT the "Multitenant and personal Microsoft accounts" option.
Or was this a misinterpretation.
@Daniel Bitterlich • The above statement was not in context with support for the V1 endpoint. You can use V1 endpoint with "Multitenant and personal Microsoft accounts" apps as well.
I think I mentioned that because @Sander Koster wanted users from Azure AD Multi-tenants but not MSA. Most customers keep IDP for AAD (work) Accounts separate from MSA (personal accounts). In that case, the use of "Multitenant and personal Microsoft accounts" apps should be avoided.
@AmanpreetSingh-MSFT - This makes things clearer and the approach is working as expected.
But I have a follow up question on this.
Azure AD doesn't ask for MFA on every interactive sign in by default, even if configured in conditional access and on such logins amr claim doesn't contain "mfa" value.
Is there an option to let Azure AD know, that the user should be forced to do MFA, i.e. by an arc_value?
@Daniel Bitterlich • If a conditional access policy, to requires MFA, is getting applied, users should be prompted to perform MFA on every interactive sign-in. If there are exceptions and users/apps/locations are excluded from the CA Policy, they might not be prompted for MFA. In that case, amr won't contain MFA. You can use the approach I have shared above to check if the amr claim contains MFA or not. If not, then trigger MFA via B2C custom policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 96%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEO%3C/text%3E%3C/svg%3E)
I have a similar setup as OP, and am also getting the error if I use v1 endpoint;
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
I don't really see a way around this; if I use v2 openid-configuration endpoint, logins error because extension_amr is never initialized, if I use https://login.microsoftonline.com/common/.well-known/openid-configuration I get invalid issuer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 94%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hello @AmanpreetSingh-MSFT ,
I would like to know how to implement Multi-Factor Authentication (MFA) in a multi-tenant sign-in approach. Additionally, could you please clarify in which file I should add the mentioned claim type?
Hello @Sander Koster ,
Would you please provide me the base and extension XML for the above fix?
Thanks in Advance.