![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 57.99999999999999%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Hi @Dyasani, Ranjeeth (NonEmp) • Thank you for reaching out.
I understand you want to sign in to your application via B2C user flow/custom policy after successful 1st-factor authentication and then trigger only the 2nd-factor authentication when making API calls to access secure areas of your applications.
In this case, rather than using 2 separate policies, I would suggest you use only one policy and leverage Conditional Access. In the Conditional Access policy, including the app that is exposed as API and configure the CA policy to trigger MFA when API is accessed. On the other hand, as the app is not in the scope of the CA policy, MFA won't be triggered during sign-in to the app.
For your reference, I have created B2C_1_SuSi-Username policy configured with Conditional Access to protect both the App and the API. You can try performing the below steps in the same sequence:
- SignUp and SignIn to the App (click here).
- Use the same policy to get a token for the API within the same browser session (click here).
In this case, the App is not included in the CA policy but the API is included. So, MFA will be triggered only for the API and not for the App.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.