azure ad b2c MFA

asked 2022-06-17T14:24:37.48+00:00
testuser7 206 Reputation points


In B2C built-in policy, if I have TURNED ON MFA, then we know that while user is signin-up, he will undergo MFA registration.
For eg., if phone-based MFA is turned on, then user will verify his phone-number by getting SMS
Subsequently, whenever he tries to sign-into that app, app will redirect him to B2C to complete the first-factor (through email/password) and second-factor through phone.

I want to know, where is the registered phone number stored in B2C tenant ??
Is it part of the standard "Azure AD authentication methods" that we can access through graph API for eg., GET /users{userId/authentication/phoneMethods/


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,580 questions
Azure Active Directory External Identities
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2022-06-18T00:23:37.337+00:00
    Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

    Hello @testuser7 , Azure AD B2C consumer user accounts MFA information is accessible through PowerShell.

    Use the following script:

       (Get-MsolUser -ObjectId <CONSUMER USER ACCOUNT ID>).StrongAuthenticationUserDetails  

    The MS Graph List phoneMethods operation is not available for B2C users.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

  2. answered 2022-06-24T16:59:55.397+00:00
    testuser7 206 Reputation points

    @Alfredo Revilla (MSFT) yes, keyVault is a good option.

    I have one question, though.
    In the event of any error message to be shown to the user, we know that Self-asserted UI is the place.
    However, if there is NO Self-asserted UI currently displayed, then B2C engine will use the redirect-uri to update the app about the error.

    My question is, in which scenario, B2C engine will use the global-exception datauri ??
    The doc says that <ContentDefinition Id="api.error"> content definition is to render an error page that displays unhandled errors.

    Can you elaborate this unhandled errors and in which situation B2C will take help of APP-REDIRECT-URI VS global-exception URI ??


    No comments