Is it possible to combine Azure ad b2c and Azure MFA so users can use push notifications and TOTP codes in the MS authenticator app? If so how?
Apart of enabling MFA that uses SMS and voice calls which is supported and doesn't require any additional development, you can integrate TOTP-based Multi-Factor Authentication with Azure AD B2C.
This involves an additional development:
Custom policy to support TOTP flow.
Simple web-client (for presenting a page with QR code and reading user's input).
Two custom REST API endpoints (for generating secret key, QR code and validating TOTP code).
Sign-in flow with TOTP MFA:
For more details, please refer to Microsoft Azure AD B2C: TOTP multi-factor authentication sample implementation Github project.
Azure AD B2C supports MFA out of the box using voice calls and SMS.
Authenticator or TOTP is not currently supported but in the backlog.
I did not try AD B2C, but technically it seems possible refer to the links.
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app
If you properly setup Azure AD B2C, you can add new account in Microsoft Authenticator App > Add account > (your AD url and code).
I’ve used AD with MS Authenticator App in my company and it worked well. So, Azure AD B2C could provide it also.
Related
I'm currently using Azure B2C as identity management server to give my Blazor Webassembly client access to a .NET core API, but find the sign in flow to be a bit clunky. I've looked at Google One Tap sign in which is much more smooth but I'm not sure if that can be integrated with Azure B2C or if I need to throw that out. Can Google One Tap signin be incorporated Azure B2C and what are the basic steps to do so? And if that is not possible what are my alternatives?
You can configure Azure AD B2C to allow users to sign in to your application with credentials from external identity providers like Facebook, Google and GitHub.
Google One Tap is part of Google Identity Service, it's a type of Google Authentication without using password and we can use Google Identity Service along side with Azure AD B2C.
First we need to to register Google as an identity provider for your Azure AD B2C tenant, as described in this document.
You need to create a sign-up or sign-in policy, as described at Azure Active Directory B2C: Built-in policies, and add Google as an identity provider for this policy.
Check this example of using Google Identity Provider with Azure AD B2C for more information.
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
In Azure B2C is it possible to configure the multi-factor authentication to use the Microsoft Authenticator App?
I have been led to believe that this is now possible. This is a link to a Github sample showing it can be configured using "custom policies."
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
In case it's ever taken down, here are the steps as of 2019-10 2020-12:
Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Following component are involved in the Azure AD B2C TOTP multi-factor authentication solution code sample:
Azure AD B2C - The authorization server, responsible for verifying the user's identity, granting (and revoking) access to resources, and issuing tokens. It is also known as the identity provider.
Web or mobile application – also known as relying party application. An application that relies on identity provider (Azure AD B2C) for authentication.
Custom Rest API - With the Identity Experience Framework, which underlies AD B2C, you can integrate with a RESTful API in a user journey. Adding your own business logic. The Identity Experience Framework sends data to the RESTful service in an Input claims collection and receives data back from RESTful in an Output claims collection. The call to the REST API secure by client certificate. We use custom REST API to prepare a QR code, register user’s security code, and verify the TOTP code.
TOTP - Time-based One-time Password algorithm that computes a one-time password from a shared secret key (the REST API and the authenticator app) and the current time.
QR Code - A machine-readable optical label that contains information about the item to which it is attached. In this case, the QR code contains the TOTP URI
Authenticator app – Microsoft (or Google) Authenticator app provides an additional level of security by using TOTP (and other methods).
Perquisites
All the components motioned above up, running, and well configured
Azure AD B2C b2clogin.com sign-in URL and JavaScript client side enabled (in public preview). To enable JavaScript client-side code in your Azure AD B2C policy:
Add the ScriptExecution element to the relying party policy.
Set the page contract for all content definitions in the base/extension policy with the new DataUri value.
The .Net core solution use following NuGet packages: OtpNet
and QRCoder
The solution is based on an extension attribute. Read here how to configure extension attributes.
1. Sign-in flow
Following diagram describes the sign-in flow with MFA registration and verification. The solution is based on TOTP. A TOTP is time-based one-time password that provides temporary passcode, generated by an algorithm running in the REST API service. The algorithm generates a password (temporary passcode) uses combination of a secret key (generated by the REST API and is stored in Azure AD B2C directory store) with the current timestamp (ensuring that each password is unique). During registration and sign-in user provides the passcode to Azure AD B2C to complete the sign-in process. The secret key is shared between user’s authenticator app and the REST API (stored in Azure AD B2C directory store), allowing the REST API to validate the passcode.
2. Mobile device enrollment flow
On the first-time user sign-in or when MFA is required for the first time (for example accessing highly confidential data), Azure AD B2C custom policy (Henceforth B2C) checks if the user already registered (extension_StrongAuthenticationAppSecretKey claim exists in Azure Active Directory identity store’s user account). If not exist, B2C calls the REST API GenerateTOTP endpoint to generate secret key and QR code for the user. The REST API:
Reads the user sign-in name
Generates a random secret key
Creates a TOTP URI (see the URI format later)
Generates a QR code for the TOTP URI
Returns the QR code bitmap, in based64 formant and the generated secret key, in base64 format
2.1 TOTP URI generation
The URI includes following data, and may contains more, such as TOTP time (default 30 seconds) and size (default 6 digits):
Protocol - otpauth://totp
User name: B2CDemo:someone#contoso.com
Secret key: F4KRXSGXYBYT7BQ5THURPPH2RQ27JGSJ
Issuer: Azure AD B2C Demo
Following is an example of such URI:
otpauth://totp/B2CDemo%3asomeone%40contos.com?secret=F4KRXSGXYBYT7BQ5THURPPH2RQ27JGSJ&issuer=Azure%20AD%20B2C%20Demo
2.2 QR code scanning and validation
After the REST API returns the registration information back to Azure AD B2C. The user moves to the next orchestration step specified in the user journey. This orchestration step reads the QR code (in base64 format) and uses JavaScript to present the QR code as an image user can scan.
2.3 Adding new identity account to Microsoft authenticator
At this point, the user needs to download and install the authenticator app (Microsoft, Google, or any other authenticator app such as Authy app). In Microsoft Authenticator, click add account, select the account type, and scan the QR code provided by Azure AD B2C.
Back to Azure AD B2C, user needs to copy and type the passcode (wining the 30-seconds timeframe) in Azure AD B2C and click continue.
2.4 TOTP code verification by Azure AD B2C
When user clicks on continue, Azure AD B2C invokes the REST API VerifyTOTP endpoint. Sending the code provided by the end user, the user’s secret and the last time of the match (this data comes from the user’s Azure AD account). We use the last time of the match to prevent and verify the verification code has already been used. The REST API validates the code provided by the end user with the secret key and last match time.
If the code isn’t valid, a user-friendly error is shown to end user, asking to provide the TOTP verification code again. Note: Since the TOTP code is valid on for 30 seconds, a user may provide the new value. Azure AD B2C will call the validation endpoint again, until the user provides valid value.
On the next step, Azure AD B2C stores the user’s secret key and last time match in Azure Active Directory identity
3. Sign-in and MFA validation
Azure AD checks if the user already registered (extension_StrongAuthenticationAppSecretKey claim exists). If exists, Azure AD B2C asks the user to enter the verification code
End user needs to open the authentication app and copy the TOTP verification code and click continue.
When user clicks on continue, Azure AD B2C runs the flow describe in section 2.4 TOTP code verification by Azure AD B2C
At this time, Azure AD B2C does not support integration with the Microsoft Authenticator app.
You should request this via the Azure AD B2C forum in feedback.azure.com
June 2022 Update:
This is now possible, albeit in preview.
See the Enable multifactor authentication in Azure Active Directory B2C official documentation and/or Thomas' answer below for more details.
This is only possible with Azure "custom policies" right now.
Please follow the following link to the sample.
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
If you find any difficulty to configure the given sample, please follow the following article.
https://medium.com/#snkaushi_9371/enable-totp-based-multi-factor-authentication-in-azure-ad-b2c-84e967d76aa4
This is now possible: Enable multifactor authentication in Azure Active Directory B2C.
As per the documentation it is still in preview (as per June 2022):
Authenticator app - TOTP (preview) - The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app, on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app. See how to set up the Microsoft Authenticator app.
From this Microsoft sample Public Preview: Azure AD B2C MFA with TOTP using any Authenticator app:
Configure TOTP with user flows
All V3 user flows (Recommended) have a new option for TOTP enabled under the "Type of Method" MFA section in the properties blade.
You can customize the TOTP screens by providing the branded HTML files like you do for other pages by going to the "Page Layouts" blade of the user flows.
I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.