Azure B2C MFA SMS throttling hits after first "resend"

David Neukam 11 Reputation points
2022-04-01T13:38:09.313+00:00

Hello,

we are facing an issue which seems pretty similar to
https://stackoverflow.com/questions/71232536/aad-b2c-mfa-error-when-sending-a-new-code.

When a user presses the "send a new code"-Link on the PhoneFactor-page in Azure AD B2C, the user immediately gets the message "You hit the limit on the number of text messages. Try again shortly.​".

This happens also with phone numbers which are used the first time with this Azure B2C-tenant. They cannot hit the 100 SMS codes/phone number/day-limit - it is the first MFA sms within weeks for the numbers I tested.

I can reproduce the issue with a custom policy but also with a newly generated user flow.
I have exported my user flow here: 189129-mytenantnameonmicrosoftcom-b2c-1-sms-retry-david.xml

Steps to reproduce:

  1. User signs in or signs up and enters their phone number (text message with a code is sent to their number for MFA)
  2. User clicks "send a new code".
  3. Error message "You hit the limit on the number of text messages. Try again shortly.​" is displayed and user cannot perform any action.

For me, it seems like the throttling hits always if you press "send a new code".

What can be the reason for this?

Thank you for your help!

Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-04-08T00:43:46.11+00:00

    Hi @David Neukam ,

    Thank you for your question. I understand that users are seeing the throttling error when hitting "send a new code" and seeing the following message:

    "You hit the limit on the number of text messages. Try again shortly.​".

    There are different MFA limits such as # of SMS per Tenant in 15 minutes, # of SMS per IP address in 15 minutes, etc. If those limits are hit, no new SMS verification code will be sent until throttling is lifted for the tenant \ IP address, etc.

    Since B2C MFA relies on phone/SMS, there are also external factors that can interrupt the code delivery via SMS, like end user signal strength, carrier, network error, etc. This verification code lives for 180 seconds after requested, and if several codes are requested and failed to redeem, due to the reasons mentioned, the account can be temporarily locked.

    If by chance you were testing with the same phone number multiple times in a short period of time that would cause throttling by the MFA service. (https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#multi-factor-authentication-limits)

    Retries aren't allowed when throttled so the users will have to restart the sign in so that the SMS verification text box is not going to be displayed.

    You can also try the workaround mentioned in the Stack Overflow thread you linked, or share your HAR trace to make it easier to diagnose the precise issue.

    Let me know if this helps.

    -

    If this answer was helpful to you, please mark it as answer so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.

  2. Pawan Nepal 6 Reputation points
    2022-08-01T04:38:32.47+00:00

    Hi @David Neukam were you able to solve this issue. I am getting the same message when I hit the send code for the second time. How were you able to fix this issue ? It would be highly appreciated if you could share it.

    1 person found this answer helpful.

  3. David Neukam 11 Reputation points
    2022-08-02T13:33:15.217+00:00

    Best solution is - after an MSFT support call - to implement a Custom JavaScript solution:

     function disableResendSmsForSomeSeconds() {  
                  $("#sendCode").click(function (e) {  
                      setTimeout(function () {  
                          console.info("Disabling Resend-Link for some seconds");  
                          var text = $("#retryCode").text();  
                          $('<span id="retryCodeText" class="isDisabled">' + text + "</span>").insertBefore("#retryCode");  
                          $("#retryCode").hide();  
                      }, 20);  
      
                      setTimeout(function () {  
                          console.info("Enabling Resend-Link");  
                          $("#retryCodeText").remove();  
                          $("#retryCode").show();  
                      }, 35000);  
                  });  
              }  
              disableResendSmsForSomeSeconds();  
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.