In Azure B2C is it possible to configure the multi-factor authentication to use the Microsoft Authenticator App?
I have been led to believe that this is now possible. This is a link to a Github sample showing it can be configured using "custom policies."
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
In case it's ever taken down, here are the steps as of 2019-10 2020-12:
Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Following component are involved in the Azure AD B2C TOTP multi-factor authentication solution code sample:
Azure AD B2C - The authorization server, responsible for verifying the user's identity, granting (and revoking) access to resources, and issuing tokens. It is also known as the identity provider.
Web or mobile application – also known as relying party application. An application that relies on identity provider (Azure AD B2C) for authentication.
Custom Rest API - With the Identity Experience Framework, which underlies AD B2C, you can integrate with a RESTful API in a user journey. Adding your own business logic. The Identity Experience Framework sends data to the RESTful service in an Input claims collection and receives data back from RESTful in an Output claims collection. The call to the REST API secure by client certificate. We use custom REST API to prepare a QR code, register user’s security code, and verify the TOTP code.
TOTP - Time-based One-time Password algorithm that computes a one-time password from a shared secret key (the REST API and the authenticator app) and the current time.
QR Code - A machine-readable optical label that contains information about the item to which it is attached. In this case, the QR code contains the TOTP URI
Authenticator app – Microsoft (or Google) Authenticator app provides an additional level of security by using TOTP (and other methods).
Perquisites
All the components motioned above up, running, and well configured
Azure AD B2C b2clogin.com sign-in URL and JavaScript client side enabled (in public preview). To enable JavaScript client-side code in your Azure AD B2C policy:
Add the ScriptExecution element to the relying party policy.
Set the page contract for all content definitions in the base/extension policy with the new DataUri value.
The .Net core solution use following NuGet packages: OtpNet
and QRCoder
The solution is based on an extension attribute. Read here how to configure extension attributes.
1. Sign-in flow
Following diagram describes the sign-in flow with MFA registration and verification. The solution is based on TOTP. A TOTP is time-based one-time password that provides temporary passcode, generated by an algorithm running in the REST API service. The algorithm generates a password (temporary passcode) uses combination of a secret key (generated by the REST API and is stored in Azure AD B2C directory store) with the current timestamp (ensuring that each password is unique). During registration and sign-in user provides the passcode to Azure AD B2C to complete the sign-in process. The secret key is shared between user’s authenticator app and the REST API (stored in Azure AD B2C directory store), allowing the REST API to validate the passcode.
2. Mobile device enrollment flow
On the first-time user sign-in or when MFA is required for the first time (for example accessing highly confidential data), Azure AD B2C custom policy (Henceforth B2C) checks if the user already registered (extension_StrongAuthenticationAppSecretKey claim exists in Azure Active Directory identity store’s user account). If not exist, B2C calls the REST API GenerateTOTP endpoint to generate secret key and QR code for the user. The REST API:
Reads the user sign-in name
Generates a random secret key
Creates a TOTP URI (see the URI format later)
Generates a QR code for the TOTP URI
Returns the QR code bitmap, in based64 formant and the generated secret key, in base64 format
2.1 TOTP URI generation
The URI includes following data, and may contains more, such as TOTP time (default 30 seconds) and size (default 6 digits):
Protocol - otpauth://totp
User name: B2CDemo:someone#contoso.com
Secret key: F4KRXSGXYBYT7BQ5THURPPH2RQ27JGSJ
Issuer: Azure AD B2C Demo
Following is an example of such URI:
otpauth://totp/B2CDemo%3asomeone%40contos.com?secret=F4KRXSGXYBYT7BQ5THURPPH2RQ27JGSJ&issuer=Azure%20AD%20B2C%20Demo
2.2 QR code scanning and validation
After the REST API returns the registration information back to Azure AD B2C. The user moves to the next orchestration step specified in the user journey. This orchestration step reads the QR code (in base64 format) and uses JavaScript to present the QR code as an image user can scan.
2.3 Adding new identity account to Microsoft authenticator
At this point, the user needs to download and install the authenticator app (Microsoft, Google, or any other authenticator app such as Authy app). In Microsoft Authenticator, click add account, select the account type, and scan the QR code provided by Azure AD B2C.
Back to Azure AD B2C, user needs to copy and type the passcode (wining the 30-seconds timeframe) in Azure AD B2C and click continue.
2.4 TOTP code verification by Azure AD B2C
When user clicks on continue, Azure AD B2C invokes the REST API VerifyTOTP endpoint. Sending the code provided by the end user, the user’s secret and the last time of the match (this data comes from the user’s Azure AD account). We use the last time of the match to prevent and verify the verification code has already been used. The REST API validates the code provided by the end user with the secret key and last match time.
If the code isn’t valid, a user-friendly error is shown to end user, asking to provide the TOTP verification code again. Note: Since the TOTP code is valid on for 30 seconds, a user may provide the new value. Azure AD B2C will call the validation endpoint again, until the user provides valid value.
On the next step, Azure AD B2C stores the user’s secret key and last time match in Azure Active Directory identity
3. Sign-in and MFA validation
Azure AD checks if the user already registered (extension_StrongAuthenticationAppSecretKey claim exists). If exists, Azure AD B2C asks the user to enter the verification code
End user needs to open the authentication app and copy the TOTP verification code and click continue.
When user clicks on continue, Azure AD B2C runs the flow describe in section 2.4 TOTP code verification by Azure AD B2C
At this time, Azure AD B2C does not support integration with the Microsoft Authenticator app.
You should request this via the Azure AD B2C forum in feedback.azure.com
June 2022 Update:
This is now possible, albeit in preview.
See the Enable multifactor authentication in Azure Active Directory B2C official documentation and/or Thomas' answer below for more details.
This is only possible with Azure "custom policies" right now.
Please follow the following link to the sample.
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
If you find any difficulty to configure the given sample, please follow the following article.
https://medium.com/#snkaushi_9371/enable-totp-based-multi-factor-authentication-in-azure-ad-b2c-84e967d76aa4
This is now possible: Enable multifactor authentication in Azure Active Directory B2C.
As per the documentation it is still in preview (as per June 2022):
Authenticator app - TOTP (preview) - The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app, on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app. See how to set up the Microsoft Authenticator app.
From this Microsoft sample Public Preview: Azure AD B2C MFA with TOTP using any Authenticator app:
Configure TOTP with user flows
All V3 user flows (Recommended) have a new option for TOTP enabled under the "Type of Method" MFA section in the properties blade.
You can customize the TOTP screens by providing the branded HTML files like you do for other pages by going to the "Page Layouts" blade of the user flows.
Related
I have a front end SPA (single page application) and back end api.
Each event in the SPA (like button click) invokes the respective api endpoint, and displays the result in the SPA.
I want to implement Azure AD based authentication so that only my Azure Tenant users are able to use the SPA/api.
Is the following flow correct approach to implementing such a feature:
User opens the SPA
User clicks on login button which opens Microsoft login popup
User enters Microsoft credentials in the popup, and if credentials are correct then user gets the JWT token
For every subsequent api request, the JWT token is placed in the bearer header
The endpoint validates the JWT token using Azure public key and rejects the request if token is missing or validation fails.
Is this flow correct and what is such a flow called?
There are several implementation steps that needs to be performed before you will have the flow that you have described:
User flow needs to be configured (Azure AD) - e.g. selfsignup allowed?
Backend and frontend applications needs to be registered (Azure AD)
Permissions and scopes needs to be added (Azure AD)
Backend API needs to be configured (e.g. API management) in order to validate the JWT token
I highly recommend to configure one of the Azure sample implementations end2end to get and idea of all the needed tasks: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-spa-app
The steps you outlined are correct.
An OAuth 2.0 "flow" outlines the steps to acquire a token from an Identity Provider (IdP). Since you are using a SPA, there are some restrictions on which flows you can use. A SPA can't act as a "Confidential Client" which is required for some flows. (Basically - the Client Secret required for the other flows would be visible in the browser network trace, so it's not "confidential".) The "Implicit Flow" used to be recommended for SPAs but it's less secure, so now the "Authorization code flow (with PKCE)" is recommended. Steps 2 & 3 in the question above are when you are executing the flow to acquire a token.
The authentication flow doesn't really address how you save and send the token to the API (#4 in the question), but the Microsoft Authentication Library (MSAL) helps with that - More information here - https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-overview
In Azure AD, you'll want 2 App Registrations - one for your SPA and one for your API. The API App Registration will need to "Expose an API" which really means to define a scope. Your SPA App Registration will need to Add an "API Permission" to the scope you defined from your API App Registration. (It will show up in My APIs.) This relationship is how #5 in the question is enforced.
Many of the steps for setting up authentication in Azure AD and Azure B2C are similar but Azure AD is designed for authenticating users that are part of your organization. Azure B2C allows you to build a set of users that aren't members of a particular Azure AD organization.
I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.
I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.
As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?
what is the recommended approach to generate a signin log in Azure AD with a passwordless solution
For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.
Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.
For more information in detail, please refer below links:
samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub
https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements
In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
Is it possible to combine Azure ad b2c and Azure MFA so users can use push notifications and TOTP codes in the MS authenticator app? If so how?
Apart of enabling MFA that uses SMS and voice calls which is supported and doesn't require any additional development, you can integrate TOTP-based Multi-Factor Authentication with Azure AD B2C.
This involves an additional development:
Custom policy to support TOTP flow.
Simple web-client (for presenting a page with QR code and reading user's input).
Two custom REST API endpoints (for generating secret key, QR code and validating TOTP code).
Sign-in flow with TOTP MFA:
For more details, please refer to Microsoft Azure AD B2C: TOTP multi-factor authentication sample implementation Github project.
Azure AD B2C supports MFA out of the box using voice calls and SMS.
Authenticator or TOTP is not currently supported but in the backlog.
I did not try AD B2C, but technically it seems possible refer to the links.
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app
If you properly setup Azure AD B2C, you can add new account in Microsoft Authenticator App > Add account > (your AD url and code).
I’ve used AD with MS Authenticator App in my company and it worked well. So, Azure AD B2C could provide it also.
Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.