This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 37%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I'm using Azure B2C to implement MFA via custom policy for external Azure AD IDP.
Can I use Authenticator app in addition to Phone/SMS MFA methods via custom policy ? Or does it need to be either Phone verification or Authenticator app ?
I'm able to successfully implement Phone verification methods (i.e. SMS/Call) via custom policy however, when I added the code for TOTP (from https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml) it doesn't trigger anything rather it always shows the Phone verification method (Call Me, Send Code) instead.
Any pointers would be really helpful.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
@robcool
Thank you for reaching out to us.
Yes, there is an option to configure Authenticator app in addition to Phone/SMS MFA methods via custom policy. This feature is in preview. The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app.
As per below article this is possible. This article also shows on how you can set this up in custom policy,
https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-custom-policy#set-multifactor-authentication
Hi @Sandeep G-MSFT ,
While implementing MFA methods via custom policy, is it possible to have CA policy implemented via native or does it need to via custom policy.
Reason being I need to apply some exclusions for test accounts.
Thanks.
There is no option to implement conditional access policy when you are implementing MFA through custom policy. because you can only configure one source to trigger MFA.
@Sandeep G-MSFT While triggering MFA via custom policy conditional access implementation, it doesn't consider the user exclusion. I always get the output claim "CAChallengeIsMFA" as "true" even though the user is added to exclusion list in B2C conditional access policy.
Any thoughts as to why this would be happening ?
Hi @Sandeep G-MSFT
I was able to configure MFA via Conditional access policy using custom policy. However it presents only Phone (SMS/Call) options. Can I add Authenticator app as a method for second factor via custom policy. The below subjourney "MFA-ExtraUserVerification" has only PhoneFactor-InputOrVerify. Is it possible to add MS Authenticator method here ?
<SubJourney Id="MFA-ExtraUserVerification" Type="Call">
<OrchestrationSteps>
<!-- MFA phone
Note: It's recommanded it a phone number isn't registred to block the user -->
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>newPhoneNumberEntered</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</SubJourney>