Enable both Phone and ToTP methods in Azure B2C CA via custom policy

Question

Enable both Phone and ToTP methods in Azure B2C CA via custom policy

robcool 116

I'm using Azure B2C to implement MFA via custom policy for external Azure AD IDP.

Can I use Authenticator app in addition to Phone/SMS MFA methods via custom policy ? Or does it need to be either Phone verification or Authenticator app ?

I'm able to successfully implement Phone verification methods (i.e. SMS/Call) via custom policy however, when I added the code for TOTP (from https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml) it doesn't trigger anything rather it always shows the Phone verification method (Call Me, Send Code) instead.

Any pointers would be really helpful.

Thank you.

Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-06-20T16:56:34.103+00:00

@robcool
Thank you for reaching out to us.
Yes, there is an option to configure Authenticator app in addition to Phone/SMS MFA methods via custom policy. This feature is in preview. The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app.

As per below article this is possible. This article also shows on how you can set this up in custom policy,
https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-custom-policy#set-multifactor-authentication
robcool 116 Reputation points

2022-06-28T02:04:20.093+00:00

Hi @Sandeep G-MSFT ,

While implementing MFA methods via custom policy, is it possible to have CA policy implemented via native or does it need to via custom policy.

Reason being I need to apply some exclusions for test accounts.

Thanks.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-07-04T08:44:30.633+00:00

@robcool

There is no option to implement conditional access policy when you are implementing MFA through custom policy. because you can only configure one source to trigger MFA.
robcool 116 Reputation points

2022-07-06T03:28:27.747+00:00

@Sandeep G-MSFT While triggering MFA via custom policy conditional access implementation, it doesn't consider the user exclusion. I always get the output claim "CAChallengeIsMFA" as "true" even though the user is added to exclusion list in B2C conditional access policy.

Any thoughts as to why this would be happening ?

1 answer

Your answer

Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-06-20T16:56:34.103+00:00

@robcool
Thank you for reaching out to us.
Yes, there is an option to configure Authenticator app in addition to Phone/SMS MFA methods via custom policy. This feature is in preview. The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app.

As per below article this is possible. This article also shows on how you can set this up in custom policy,
https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-custom-policy#set-multifactor-authentication
robcool 116 Reputation points

2022-06-28T02:04:20.093+00:00

Hi @Sandeep G-MSFT ,

While implementing MFA methods via custom policy, is it possible to have CA policy implemented via native or does it need to via custom policy.

Reason being I need to apply some exclusions for test accounts.

Thanks.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-07-04T08:44:30.633+00:00

@robcool

There is no option to implement conditional access policy when you are implementing MFA through custom policy. because you can only configure one source to trigger MFA.
robcool 116 Reputation points

2022-07-06T03:28:27.747+00:00

@Sandeep G-MSFT While triggering MFA via custom policy conditional access implementation, it doesn't consider the user exclusion. I always get the output claim "CAChallengeIsMFA" as "true" even though the user is added to exclusion list in B2C conditional access policy.

Any thoughts as to why this would be happening ?

Answer 1

Hi @Sandeep G-MSFT
I was able to configure MFA via Conditional access policy using custom policy. However it presents only Phone (SMS/Call) options. Can I add Authenticator app as a method for second factor via custom policy. The below subjourney "MFA-ExtraUserVerification" has only PhoneFactor-InputOrVerify. Is it possible to add MS Authenticator method here ?
<SubJourney Id="MFA-ExtraUserVerification" Type="Call">
<OrchestrationSteps>

<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>newPhoneNumberEntered</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</SubJourney>

Share via

Enable both Phone and ToTP methods in Azure B2C CA via custom policy

1 answer

Your answer