I was hoping to switch the locale used in the Azure MFA "Call Me" function used in Azure AD B2C to en-GB rather than the default en-US (refers to "pressing the pound sign" which isn't a term we use in the UK). It seems the best you can hope for is just a default English language with no regional/sub-culture options.
The backup plan is to record our own Greeting(s). However the option to add your own greetings is grayed-out:
Does anyone know what precondition must be satisfied so I can access the "+ Add greeting" link?
This is a list of all supported languages for multi-factor authentication (MFA) notifications. This is triggered by the ui_locales query parameter presented in the URL or browser preference configuration set by user.
That MFA blade (your image) isn't entirely supported by Azure AD B2C. Review the primary documentation on Customize language.
Azure AD B2C does support connecting to third-party MFA solution where you can add services such as customize voice.
Related
I recently added an Azure AD B2C tenant to an existing subscription.
Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:
After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.
Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:
This brings up an error message without Correlation ID or timestamp:
There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.
MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.
Questions:
How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
If MFA cannot be disabled, how can I register my device or phone number?
Thx,
The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did.
Anyway, here are the steps I took:
On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication.
(It's in the top menu.)
The Multi-Factor Authentication page opens in a new browser window.
Enable MFA for the user account with the issue.
Logon with that account on account.activedirectory.windowsazure.com.
Click your account in the top-right corner to open a dropdown menu and select Profile.
Select 'Additional Security Verification'.
All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
Complete the Additional Security Verification and make sure MFA works.
Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.
In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.
MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.
The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.
I think your answer #flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.
For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.
However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.
In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.
Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.
I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!
Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.
Active directory > properties > Manage security defaults > toggle to No
this will disable the default MFA setup.
I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD), I checked its documentation and some code samples, then I knew that Azure AD B2C have some of features which suits my requirement,
NOTE - I only need MFA feature from Azure AD B2C,
I tried this sample code provided in official docs, https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa
But I have some of queries:
1) Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?
2) In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)
3) There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
4) From where can I decide, which type of user will be registered? because the code which I have tried, doesn't mention about user type, (Actually I want to know that is there any param or option in user-flow, which can decide type of user, which will be registered through this flow)
Any help or suggestions will helpful for me,
Thanks in advance,
1. Is there any service in Azure B2C, which can directly provide MFA
facility to integrate, without need to register users in Azure AD?
Yes you can restrict new user to sign and sign up using MFA. For that need to enable MFA. Its global MFA for all.
See the screen shot below.
Note: You can also implement MFA for each individual user.
See the screen shot below for Individual MFA
Once you implement MFA you would be prompted to verify your phone
number like below
Note:
For Testing MFA Userflow need native application on application
drop down
See the screen shot below
2. In Azure B2C, can I control user flow with information of my
website? So that email and phone number will be of my website during
user flow. (I am asking about this because according to my plan I am
going to integrate it after login process in my website)
Yes you can customize your user flow. You can add new user flow according to yours.
To do that, Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C
Then In the left menu, select User flows, and then select New user flow
See the screen shot below:
3. There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
In short Work account has the more privileged in B2C tenant as the official document says. As consumer account cannot access some resource on portal. For accessing Microsoft Graph API Guest user has some restriction even on azure portal.
Note: As per your requirement I would suggest you to go with Work account which has some benefits while you would access Microsoft API
Though the account type mostly depend on your business needs but Work Account more useful comparing all aspect.
Let's say, If you want to add some user those who already registered some other organization but you need to add them in your particular application privilege. So need to add user as Guest privilege.
4. From where can I decide, which type of user will be registered?
Tough the question is bit confusing as I said earlier it would depend on your business needs. Work account usually best for tenant user. So when you feel within on your tenant if new user need to add so go with Work account. Once you specify your need it would definitely easier for you which kind of user you need to add. There is no such reference which can explain well upto to now.
Note: You could try adding all the user type to check how the user account behave using portal and accessing resources.
I know there are a lot of examples over the web that explain how the administrator of an Azure AD can configure self service password reset for users in the classic portal. However, I am working on the new Azure portal and am not sure if the same feature is available in the new portal. If it is possible then please point me to some example explaining the same. Thanks.
There are two ways to achieve password reset in Azure AD B2C.
The simplest one is via the Sign-In Policy which uses the out-of-the-box password reset. This is the one I believe you're asking about. To enable that one in the new portal:
Go to the Azure portal
On the left menu, click on More Services >
Search for Azure Active Directory and click on it.
Select Password Reset
The Properties blade will open automatically, there should be a single Self Service Password Reset Enabled button, change it to Everybody and click on Save.
Alternatively, you can configure self-service password reset via the Sign-up/sign-in Policy which requires extra work by the application, but allows you greater flexibility with regards to customizing the UI. For more information on that approach, check out this other StackOverflow post: ad b2c self service password reset link doesn't work
I am currently working on a B2C setup for my company.
In our Azure AD account, I have an email, say myemail#mycompany.com, which has a password.
I also have a Microsoft Live account using the same email, myemail#mycompany.com, which has a different password.
I have created a B2C setup using the following documentations.
https: //learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-setup-msa-app/
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/
After doing the B2C set up, I am able to obtain a link, below is an example.
https ://login.microsoftonline.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signin1&client_Id=&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=form_post&scope=openid&response_type=id_token&prompt=login
In my Azure setup, I already have both emails (Azure AD and Microsoft Live) added to my list of users.
My problem is, when I use the link generated from my B2C setup, it only seems to allow me to sign in using the Microsoft Live account (which has a different password from my Azure AD account).
Is there a way, or a configuration, which will allow my B2C setup to invoke the sign in page to choose either my Personal (Microsoft Live account) or work or school (Azure AD) account?
At the moment, B2C does not properly support work accounts from AAD (ironic, eh?). You're correct in that personal accounts from MSA work just fine.
In B2C, you can add "local accounts" as an IDP, which will allow users listed in your tenant to sign into the app. I can't actually recall if that local account option allows you to sign in with a work account in your B2C tenant. You could give it a try if that's what you need. Most people however need proper support for AAD tenants, where work accounts are a dedicated option on the "IDP selection" screen. B2C doesn't have that today.
I do have a scratched together sample .NET app on my GitHub that shows how you can add support for work accounts and B2C in the same app. It's not pretty, but it works.
As for the same email/different password problem. Even adding the above support won't help. We don't expect that users will really be able to decipher a "work Microsoft account" button from a "personal Microsoft account" button. So, we are doing work to eliminate these situations, by limiting the number of users who get into such a situation and by providing an account linking option for those that are.
We do plan to support AAD work accounts in the near future. Sometimes your own family members are the hardest to work with.
If you feel so inclined, you can add your feature requests to https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c
I have a web application that I need to secure.
We phased the development tasks/epics to help the focus and meet the deadlines:
Phase 1:
User authentication/authorization from active directory
Custom login page
Custom user names (let users choose something like "John Doe" as a user name, I mean, spaces, no email address format)
Phase 2:
External active directory integration (Federation Services)
Phase 3:
Open ID integration for users (Microsoft account, Facebook account, ...)
Additional info:
We have created a Windows Azure Active Directory but that seem to be problematic with both the user name and the login page. WAAD was chosen as it removes the pain of having to create a "custom" user management platform and because of the "as a service" approach.
I can't find anybody doing this on the web.
Would anybody have an idea to know how to start based on the requirements?
I would recommend starting by reading up on the Claims-based Identity model. The current version of WIF (Windows Identity Framework) supports claims based identity.
In a nutshell this model is much more extensible (say Federation) and you don't have to worry about the nitty gritty details of security code. You can start using claims now against your existing AD and then easily move to phase 2 and 3 by just pointing to, or adding, a new identity provider that you 'trust'.
Azure AD will enable your customers to be able to sign in to your application using their on-premises (federated) AD identities or pure cloud managed identities (many O365 customers are pure cloud managed). Consumer IdP federation (MSA, Facebook, Google) isn't available with Azure AD yet - but it is something that is on our radar. Azure AD customers can already customize the sign-in page to add branding of their Organization - however the customization of sign-in page per application isn't available yet (also on our radar).
I am curious about the requirement of having arbitrary strings as username - why is this so important?
thanks