azure ad b2c MFA

testuser7 286 Reputation points
2022-06-17T14:24:37.48+00:00

Hello,

In B2C built-in policy, if I have TURNED ON MFA, then we know that while user is signin-up, he will undergo MFA registration.
For eg., if phone-based MFA is turned on, then user will verify his phone-number by getting SMS
Subsequently, whenever he tries to sign-into that app, app will redirect him to B2C to complete the first-factor (through email/password) and second-factor through phone.

I want to know, where is the registered phone number stored in B2C tenant ??
Is it part of the standard "Azure AD authentication methods" that we can access through graph API for eg., GET /users{userId/authentication/phoneMethods/

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-06-18T00:23:37.337+00:00

    Hello @testuser7 , Azure AD B2C consumer user accounts MFA information is accessible through PowerShell.

    Use the following script:

       Connect-MsolService  
       (Get-MsolUser -ObjectId <CONSUMER USER ACCOUNT ID>).StrongAuthenticationUserDetails  
    

    The MS Graph List phoneMethods operation is not available for B2C users.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.

  2. testuser7 286 Reputation points
    2022-06-24T16:59:55.397+00:00

    @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA yes, keyVault is a good option.

    I have one question, though.
    In the event of any error message to be shown to the user, we know that Self-asserted UI is the place.
    However, if there is NO Self-asserted UI currently displayed, then B2C engine will use the redirect-uri to update the app about the error.

    My question is, in which scenario, B2C engine will use the global-exception datauri ??
    The doc says that <ContentDefinition Id="api.error"> content definition is to render an error page that displays unhandled errors.

    Can you elaborate this unhandled errors and in which situation B2C will take help of APP-REDIRECT-URI VS global-exception URI ??

    Thanks.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.