I recently added an Azure AD B2C tenant to an existing subscription.
Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:
After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.
Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:
This brings up an error message without Correlation ID or timestamp:
There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.
MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.
Questions:
How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
If MFA cannot be disabled, how can I register my device or phone number?
Thx,
The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did.
Anyway, here are the steps I took:
On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication.
(It's in the top menu.)
The Multi-Factor Authentication page opens in a new browser window.
Enable MFA for the user account with the issue.
Logon with that account on account.activedirectory.windowsazure.com.
Click your account in the top-right corner to open a dropdown menu and select Profile.
Select 'Additional Security Verification'.
All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
Complete the Additional Security Verification and make sure MFA works.
Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.
In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.
MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.
The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.
I think your answer #flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.
For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.
However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.
In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.
Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.
I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!
Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.
Active directory > properties > Manage security defaults > toggle to No
this will disable the default MFA setup.
Related
I am an administrator with enabled MFA in my own Azure B2C tenant. And suddenly one day I was not able to sign in to that tenant. Just stuck on the page "Help us protect your account". Buttons "Next" and "Skip for now..." just redirect back to this page.
I tried to check in my environment for this same error this error may occur if your administrator has enabled the security defaults as 'yes' on your tenant or alternatively you can use Azure AD Multi-Factor Authentication using the Microsoft Authenticator app using notifications.
To get rid of the screen you can disable security defaults like below:
Go to azure portal ->azure active directory ->properties ->manage security defaults -> NO -> save as below
After disabling security default, I am able to access on the page successfully as below
Reference: multi-factor authentication (MFA) and blocking legacy authentication.
I am using AzureAD. And I am implementing MFA.
I know that if the user ID and password login fails a certain number of times, it locks me out.
However, repeated failures in MFA after passing user ID and password authentication will not lock out the user.
Repeated failures on the MFA screen will return you to the initial login screen.
Is this a specification?
If it is possible to lock out even with MFA, please let me know how.
Yes, lockout feature is available in Azure AD MFA. Please note that this feature is applied only when the users use PIN code for the MFA prompt.
In order to configure this feature, you need administrator role.
Based on the number of failure trials you provided in settings, account lockout happens respectively.
To configure this feature, please follow below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Multifactor authentication -> Account lockout
In the above fields, enter the number based on your requirement and Save.
Like this, you can configure lockout feature in Azure AD MFA.
Make sure to use PIN for MFA authentication.
Complete credits to below Microsoft Doc:
Configure Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Docs
We have a federation between with our ADFS and the other company Azure AD using the "Claim Provider Trusts". We use the Azure AD to perform the authentication, but our ADFS/AD is sending some claims to our "Relying Party Trusts".
The problem I'm facing is if a user is disabled/expired in our local AD, it is still possible to authenticate and access the applications, because the user is not disabled/expired in the Azure AD. I can't manage the Azure AD and it is a valid situation where the user is disabled/expired in our AD, but still working on the Azure AD.
How can I figure this out to prevent disabled/expired user from my local AD to access my apps?
Thanks!
In Azure AD you need to go to the user's profile and block the user's sign in under the user's profile > Edit > Settings
You do need to have at least the User Administrator role in Azure, so if you don't have access to the Azure AD you will need to ask an admin to do this.
You can also use Graph API to set accountEnabled to false.
PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version
Body:
{
"accountEnabled": false
}
Otherwise you can delete the user in Azure or ask the admin to do that.
For federation, the user should either be in your AD or in the other parties AAD.
(If you use AAD Connect, the user status is synched up to a shadow account).
Otherwise, you end up with this problem.
Is there a reason you have them in both?
Is there a way to match the AAD and the AD user?
If so, you can have a claims rule to get the status of the matching AD user and then deny access if disabled.
Update
You should read up on AAD Connect. It has filters e.g. groups so you can control who is synched up. Once that's working, if they are disabled in AD, then they will be disabled in AAD as well.
You should also look at the application report as it shows apps that can easily be moved to AAD and provides scripts to do so. There's a number of tools.
You could use the claims rules to find the enabled status of the user and then set a claim if disabled and then use the Access Contol Policies tab to deny access if this claim exists.
With Multi-Factor Authentication enabled Azure portal, it requires users to approve every login in users’ Authenticator App.
When I changed my phone, Authenticator app must be migrated to my new phone. I used Back and Recover function of Authenticator app. I backed up and recovered account details to new phone. As work or school accounts, the migration process requires Additional Security Verification, which requires to rescan all QR codes of all accounts in Authenticator app. I have rescanned all QR codes of work or school accounts that I created.
Now my issue for this migration is Azure AD B2C account. It was created by Azure when I created Azure AD B2C directory. The name of the account in Authenticator app is admin_mydomain.com#EXT##mydomain.onmicrosoft.com. It is not a work or school account. From the name, it may relate to my Azure login account (admin#mydomain.com a work or school account). I have spent many hours for it. But I still don’t know where this special account details stored. So I can’t get the QR code of the account for Authenticator app. I can’t finish my Authenticator app migration.
This account authentication is required when I switch from Azure primary directory to Azure AD B2C directory in Azure portal.
Please help me with this issue. Thanks.
[UPDATE] I just realized that what worked for me, ist the the solution Alfredo R already posted! So I can confirm that this works.
While I'm still struggeling to revalidate my [username]#[custom-domain].onmicrosoft.com account, I think I found a solution for the AAD B2C problem:
Login to https://myaccount.microsoft.com/
Main menu "Securityinformation" will show you registered devices for your current organization
Main menu "Organizations": You should at least see the other organization of the B2C tenant
In the top right menu, click your avatar, and switch organizations, and swtich to the B2C tenant
The UI should be the same, but now your're logged in through the B2C tenant
Go back to "Securityinformation" and add your new device
I was lucky that my old device is still working, so I could switch easily organizations. If you can't switch because of MFA and no access to your old device, I think you still need to disable MFA in the B2C tenant as described the other solution and then turn it back on?
But I think thats the way to get the QR code for a B2C tenant, login to your account and switch to the B2C tenant by switching organizations.
admin_mydomain.com#EXT##mydomain.onmicrosoft.com is the UPN (user principal name) for the user hosted in the Azure B2C tenant for your work account admin#mydomain.com. Scan QR as with others but switching first to the B2C tenant.
There are a few steps need to fix this issue.
Need a global admin account of Azure AD B2C active directory. But You can’t use the one that you are going to migrate. Please create one if there is no other global admin account available.
Go to Azure Active Directory of Azure AD B2C directory. Please click on the Properties in the left main menu. Then go to the bottom of the Properties page. Click on the link: Manage security defaults. Disable security defaults and save on the popup window.
Run local PowerShell as local admin. Run following cmdlet to connect to Azure AD B2C active directory.
PS C:\WINDOWS\system32> Connect-MsolService
MAF login will ask for user name and password. Please use the credential of the global
admin account mentioned above. If there is no error appear, run the following cmdlet:
PS C:\WINDOWS\system32> Set-MsolUser -UserPrincipalName
admin_mydomain.com#EXT##mydomain.onmicrosoft.com -StrongAuthenticationMethods #()
Go back to Azure Active Directory of Azure AD B2C tenant > Properties of the left main menu > the bottom of the Properties page > click the link: Manage security defaults. Enable security defaults and save.
Login to Azure portal with admin#mydomain.com, then switch to Azure AD B2C directory. You will see a popup security setting wizard. That is same wizard as we first set up the directory. Please follow the wizard. You will see the QR code for admin_mydomain.com#EXT##mydomain.onmicrosoft.com. You can scan the QR code to finish the MS Authenticator migration.
I am currently working on a B2C setup for my company.
In our Azure AD account, I have an email, say myemail#mycompany.com, which has a password.
I also have a Microsoft Live account using the same email, myemail#mycompany.com, which has a different password.
I have created a B2C setup using the following documentations.
https: //learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-setup-msa-app/
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/
After doing the B2C set up, I am able to obtain a link, below is an example.
https ://login.microsoftonline.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signin1&client_Id=&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=form_post&scope=openid&response_type=id_token&prompt=login
In my Azure setup, I already have both emails (Azure AD and Microsoft Live) added to my list of users.
My problem is, when I use the link generated from my B2C setup, it only seems to allow me to sign in using the Microsoft Live account (which has a different password from my Azure AD account).
Is there a way, or a configuration, which will allow my B2C setup to invoke the sign in page to choose either my Personal (Microsoft Live account) or work or school (Azure AD) account?
At the moment, B2C does not properly support work accounts from AAD (ironic, eh?). You're correct in that personal accounts from MSA work just fine.
In B2C, you can add "local accounts" as an IDP, which will allow users listed in your tenant to sign into the app. I can't actually recall if that local account option allows you to sign in with a work account in your B2C tenant. You could give it a try if that's what you need. Most people however need proper support for AAD tenants, where work accounts are a dedicated option on the "IDP selection" screen. B2C doesn't have that today.
I do have a scratched together sample .NET app on my GitHub that shows how you can add support for work accounts and B2C in the same app. It's not pretty, but it works.
As for the same email/different password problem. Even adding the above support won't help. We don't expect that users will really be able to decipher a "work Microsoft account" button from a "personal Microsoft account" button. So, we are doing work to eliminate these situations, by limiting the number of users who get into such a situation and by providing an account linking option for those that are.
We do plan to support AAD work accounts in the near future. Sometimes your own family members are the hardest to work with.
If you feel so inclined, you can add your feature requests to https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c