Is it possible to have a separate URI for each step of the MFA in B2C? Right now as a work around, we are keying off the ajax Success return to provide a unique user experience for each step but it might be cleaner if we don't have to rely on this.
According to the documentation, we should be able to extend the phonefactor technical profiles, but there aren't any details about this specifically.
Update
Let's assume I have zzz.com/A for a page containing the options: "call me" and "send code."
Let's say I select "send code", can I then specify zzz.com/B for a page containing, the "Enter your verification code below," input?
Or perhaps if I select "Call Me" can I send that to zzz.com/C to display another user experience there?
The MFA behaviour (for a custom policy, this is implemented by the PhoneFactorProtocolProvider provider) is built to be self-contained that means the call/text interaction can't be separated from the verify interaction.
Related
I want to, during the sign in flow, ask the user for additional input, which would be used as an inputClaim in one of the next steps of the user journey in a custom policy. The value does not need to be persisted. Ideally, it would be done in the sign-in window, but also could be collected from a separate window.
I am able to modify the sign-up window in this way, though not the sign-in one. Looked up in https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy, but this again describes only the sign-up scenario.
There is a similar question asked by #Zzehan-jurangpathy here Getting user attribute in sign in flow in Azure B2C, though no answer that would actually be helpful.
You can't modify the standard sign-in flow. It just allows username and password.
You can add an extra page by adding a self-asserted technical profile e.g. here.
I've followed one of the provided samples to add TOTP multi factor authentication supported by a phone app:
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I'm therefore able to offer users the ability to enter a TOTP code:
One of the things I'm considering is ensuring users still have access to their accounts if something goes wrong during the TOTP MFA process which we're using by default. I'd therefore like to be able to add an extra link to this page to send users through an alternative MFA route without successfully completing this one in case they encounter issues: "send a code via email instead".
As far as I can tell, the B2C screens expect users to only go forward through clicking continue. The best alternative instead of a link I can think of is a checkbox which sets a boolean claim to enable an email MFA OrchestrationStep. I find this a little less user-friendly than a simple link though as it adds an unnecessary extra click.
Ideal user flow:
Login --> Display TOTP MFA screen --> Enter MFA code OR click link to go to email MFA screen
Any help's appreciated!
This sample demonstrates how to use a display control to provide multiple options (Email or MFA) for a user to continue:
https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-via-email-or-phone
You could use the same idea here, except instead of invoking the MFA technical profiles as part of the samples display control, you can invoke the call to the REST API technical profile to verify the code.
You will need to use some CSS/JS to make the page look nice so users can toggle what option they want to use.
I'm trying to configure a B2C tenant using policies instead of user flows.For that, I'm using the SocialAndLocalAccount template as start base. One of the things I'd like to do is to configure the email's verification parameters so I can choose the code's length, expiration time, etc. I don't really care about having a custom email like the example with SendGrid, just want to be able to configure the basic parameters.
I've been following the otp example they have in the documentation and managed to display the option properly but I never receive the email when clicking on "Send Code". Am I missing something? Is there another way to achieve this?
I'm new to Azure B2C and policies so I would appreciate any suggestions you might have. Thanks!
Currently, if you want to use the custom OTP generation within B2C, you have to use an external mail provider. The built in email verification has a separate combined OTP and mail provider service that is not able to be decoupled.
In my Azure AD tenant, I currently have it configured so that users logging in for the first time must register at least one authentication method (e.g. an alternate email, a phone number). This is useful for MFA and self-service password reset (SSPR) - screenshot here.
I want to have several non-interactive service accounts that will not be configured for either MFA or for SSPR. Therefore, these non-interactive service accounts do not need alternate authentication methods. However, under my current setting, these service accounts are prompted to enter alternate authentication methods on first login:
First with the "More Info Required" screen (screenshot), which you
cannot cancel out of
And then with the "don't lose access to your
account!" screen (screenshot), which actually does allow for the user
to cancel the operation
This is extra inconvenient because, when adding an email, email verification is required, which doesn't allow us to do this programmatically (screenshot).
If I do just click "Cancel" on the "don't lose access to your account!" screen, I can simply proceed to sign-in without inputting alternate authentication methods (screenshot).
So the question is: how can I exclude a certain subset of users (e.g. non-interactive service accounts) from requiring alternate authentication info when first signing in?
We can include only a certain subset of groups for SSPR under Password Reset->Properties. This feature does not have an "Exclude" list, which makes it more difficult to implement.
More details in an MSDN forums post:
https://social.msdn.microsoft.com/Forums/en-US/51affd2c-a2c8-4faa-bbd8-bd1773c985d4/how-to-exclude-a-subset-of-users-from-requiring-authentication-info-when-first-signing-in?forum=WindowsAzureAD&prof=required
Starting from the custom policy starter pack, and the SocialAndLocalAccountsWithMfa example, I'd like to display an additional checkbox on the same screen where the user chooses "Send Code" or "Call Me".
I want the boolean value indicating if the user checked it to end up in a claim returned to the application.
Is this possible?
I've tried adding the custom claim as an <OutputClaim>, an <InputClaim> or both into the PhoneFactor-InputOrVerify technical profile. None of which had any effect in the UI.
Unfortunately, no, because both the urn:com:microsoft:aad:b2c:elements:multifactor:1.1.0 content definition and the PhoneFactorProtocolProvider profile type are specialized or fit-for-purpose for the multi-factor interaction.