azure ad b2c MFA

Question

azure ad b2c MFA

asked

testuser7 206

Hello,

In B2C built-in policy, if I have TURNED ON MFA, then we know that while user is signin-up, he will undergo MFA registration.
For eg., if phone-based MFA is turned on, then user will verify his phone-number by getting SMS
Subsequently, whenever he tries to sign-into that app, app will redirect him to B2C to complete the first-factor (through email/password) and second-factor through phone.

I want to know, where is the registered phone number stored in B2C tenant ??
Is it part of the standard "Azure AD authentication methods" that we can access through graph API for eg., GET /users{userId/authentication/phoneMethods/

Thanks.

Answer 1

answered

Alfredo Revilla (MSFT) 15,561 Microsoft Employee

Hello @testuser7 , Azure AD B2C consumer user accounts MFA information is accessible through PowerShell.

Use the following script:

   Connect-MsolService  
   (Get-MsolUser -ObjectId <CONSUMER USER ACCOUNT ID>).StrongAuthenticationUserDetails

The MS Graph List phoneMethods operation is not available for B2C users.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

testuser7 206 Reputation points

2022-06-20T13:14:39.057+00:00

Thanks @Alfredo Revilla (MSFT)

Got it.
So at this point of time listing all the strong-authentication methods that user has registered can not be pulled up through graph api i.e., GET /users/id/authentication/methods Right ??

So I can see that we have mapping for strongAuthenticationPhoneNumber, strongAuthenticationEmailAddress and strongAuthenticationAlternativePhoneNumber
This will take care of email and phone as MFA

However, if I want to design my custom-flow using TOTP based authenticator-app to accomplish MFA, custom-flow needs to store the secretKey in user's profile
I do not find any mapping how I can persist SecretKey in user-profile ??

I need this secretKey to be read in subsequent logins by AAD-TP after confirming that user has registered at least one device through GetAvailableDevices from AzureMfaProtocolProvider

Thanks.
testuser7 206 Reputation points

2022-06-22T13:44:56.527+00:00

Hi @Alfredo Revilla (MSFT) @James Hamil or others,

If I am thinking straight with respect to above point, appreciate if you clarify it so that we can close it.

Thanks.
Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

2022-06-22T21:42:54.35+00:00
Hello @testuser7 .

At this point of time listing all the strong-authentication methods that user has registered cannot be pulled up through MS Graph API.

Values for strongAuthenticationPhoneNumber, strongAuthenticationEmailAddress and strongAuthenticationAlternativePhoneNumber can be read using MSOnline and written only trough user flows or custom policies.

Regarding the storage for secretKey and other custom claims within the user profile, you can resort to Azure AD extensions.
testuser7 206 Reputation points

2022-06-23T11:41:00.07+00:00

I see ...
So Microsoft wants us to create an AAD extension to store secret-key for TOTP

I thought, since this is more secure thing than other business attributes that we always do through extension, B2C might be thinking to extend the strong*** family.

Anyways, I am glad you helped me. Thanks @Alfredo Revilla (MSFT)
Alfredo Revilla (MSFT) 15,561 Reputation points Microsoft Employee

2022-06-23T22:28:22.767+00:00

Or you could store a pointer to the secret key in Azure KeyVault for added security. I'm glad my answer was helpful. If it's not asking too much, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

Answer 2

@Alfredo Revilla (MSFT) yes, keyVault is a good option.

I have one question, though.
In the event of any error message to be shown to the user, we know that Self-asserted UI is the place.
However, if there is NO Self-asserted UI currently displayed, then B2C engine will use the redirect-uri to update the app about the error.

My question is, in which scenario, B2C engine will use the global-exception datauri ??
The doc says that <ContentDefinition Id="api.error"> content definition is to render an error page that displays unhandled errors.

Can you elaborate this unhandled errors and in which situation B2C will take help of APP-REDIRECT-URI VS global-exception URI ??

Thanks.

azure ad b2c MFA

2 answers

Activity