For our B2C Tennant we want to let our customers make use of the Microsoft Authenticator app. When doing research, we noticed that it was not possible to add the Authenticator App for existing users without disabling phone/text message authentication.
This is not an acceptable situation for us since that means that someone with customer credentials can take over the enrolment flow.
A MS engineer suggested the following:
The desired situation should be possible with a “Registration
campaign” -
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/RegistrationCampaign
Users will go through their regular sign-in, perform multifactor
authentication as usual, and then be prompted to set up Microsoft
Authenticator.
However, we enabled this option as described in the Documentation, but after an existing user signs in no Authenticator App Flow is started.
Does someone have experience how we can make this work?
As far as I know, even after enabling MFA if existing users don't receive authenticator app approval, please try below steps:
There is a chance of where your users selected “Stay signed in” while logging into their accounts. By doing this their devices will be treated as remembered device that suspends enabling MFA.
While enabling MFA if you set Remember MFA on trusted device , then the user won't get prompts until the duration expires
To resolve the issue, try clearing all old sessions history, by enabling “Revoke MFA sessions”
If the issue still persists, try enabling Re-register MFA, that asks the users to set up a new MFA authentication method when they sign-in.
For more reference, please find the below links :
Enable multifactor authentication in Azure Active Directory B2C
Manage user authentication options
Related
I am stuck at this issue while sending request for Azure Active Directory authentication from ASP.NET, using UserPasswordCredential, I get this error :
{
"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'
Note : MFA is enabled.
Does any one know why this issue occur ? how to ignore MFA authentication while authenticate from API side.
Is there any policy to handle MFA authentication?
The documentation for UsernamePasswordCredential Class clearly states this will not work:
Enables authentication to Azure Active Directory using a user's username and password. If the user has MFA enabled this credential will fail to get a token throwing an AuthenticationFailedException. Also, this credential requires a high degree of trust and is not recommended outside of prototyping when more secure credentials can be used.
For an alternative solution, please see the documentation on Managed identities for Azure resources.
I am using Azure services and Azure AD Free (my personal account).
I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users.
When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered?
Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not
for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
I'm using Office 365 Business Premium for my test. From a couple of days ago, I've gotten prompt for Authentication code (see below) after enter my password when I try to sign-in.
MFA prompt
It seems like MFA became enabled suddenly although I didn't anything such a configuration. I doubt my account is possibly violated.
Is there any way to recovery from this situation?
Thanks
Kaypyosh
If you lost your phone you will need to reach out to your administrator to reset your information.
The Authenticator app is designed so that you have to prove your identity, so it will require the admin reset if Authenticator MFA is enforced.
If you are the only global admin on the tenant then you can reach the Azure data protection team to get this resolved.
Azure Data Protection number (866-807-5850)
However, if there is a second global admin you will need to reach out to that person to reset the settings. Please refer to this similar one
Only the global admin is able to set up or modify MFA.
You can turn off MFA by following the steps:
1.Go to the Office 365 admin center.
2.Go to Users > Active users.
3.Choose More > Setup Azure multi-factor auth.
4.Check your account.
5.Click Disable on the right.
Please check here
I am trying to switch directories in Azure but it prompts me to approve the request on the authenticator application. However, I have removed that entry from the authenticator application.
When i try to sign a different way it still prompts me to use the authenticator app
It seems that you did not set a phone number at the last step when you added the authenticator.
So, just as #juunas mentioned in the comment, you need to contact other admins to reset your MFA settings from Azure portal:
You can set up your Authenticator again going to: https://aka.ms/mfasetup but you probably need to have your AAD administrator Require re-register MFA again since you wont be able to login there without the MFA if you are not already logged in.
I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,