question

TonyLin-0685 avatar image
0 Votes"
TonyLin-0685 asked ZollnerD edited

Where is Azure AD B2C account QR code for Microsoft authenticator?

When I switch from my Azure primary directory to Azure AD B2C directory, I need to approve the switch in Authenticator. The account name in Authenticator is very special. The account name is admin_mydomain.com#EXT#@mydomain.onmicrosoft.com. My Azure primary directory login name is admin@mycomain.com.

I got a new phone last week. I have restored all account details to new phone and scanned all other accounts’ QR codes. But I don’t know where to fine the QR code for the special account of Azure AD B2C directory. I have never aware this issue before. I will not be able to login my AD B2C directory if I lost my phone. It is a common issue for everyone who has Azure AD B2C directory.

I set the account up first time with a pop up wizard from Azure.

Please help me with this issue. Thanks.

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered FabinFoos-7604 commented

@TonyLin-0685 · Welcome to Q&A platform and thank you for your query.

The account name/upn in this format (admin_mydomain.com#EXT#@mydomain.onmicrosoft.com) gets generated for guest users. If you have added the admin of your Azure AD tenant as guest to your B2C tenant and while switching from your Azure AD tenant to the Azure AD B2C tenant, you are being prompted for MFA, it can be due to security defaults in the B2C tenant, as highlighted below:

44418-image.png

To disable MFA prompt when switching from your primary Azure AD to B2C directory, disable "Security Defaults".

Read more: What are security defaults?


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (101.2 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks very much amanpreetsingh-msft.

I did a test as you advised. It works. But it also disables all logins MFA. I am not going to use Conditional Access. Any other solutions please.

0 Votes 0 ·

@TonyLin-0685 · Security Defaults and Conditional Access are the only options to enable MFA for users in B2C tenant. Why you don't want to go for Conditional Access? It doesn't require any additional licenses to be purchased in case of B2C tenant.

0 Votes 0 ·

Thanks very much amanpreetsingh-msft.

Because I try not to change security settings if I can avoid. I will try condition access if there is no other solutions.

From my memory, when I set up the B2C directory, there is a wizard (Additional Security Verification wizard ) with the QR code popup. The QR code must be stored in somewhere. It is the easiest solution if we can find the QR code.

0 Votes 0 ·

@TonyLin-0685 · You can try running below cmdlet and enable Security Defaults again. You should be able to get the option to scan QR code to setup MFA afterwards.

Set-MsolUser -UserPrincipalName admin_mydomain.com#EXT#@mydomain.onmicrosoft.com -StrongAuthenticationMethods @()

0 Votes 0 ·

Thanks very much amanpreetsingh-msft.

First, I connected to MsolService. Then I ran the cmdlet from you. I changed mydoman to my real domain name. I got error message back.

Set-MsolUser : User Not Found, User: .
At line:1 char:1
+ Set-MsoleUser -UserPricipalName Admin_...
...

I had checked the strange user name carefully many times. The user name should be correct. I can't find the user name anywhere. Any ideas?

0 Votes 0 ·

Hi @TonyLin-0685 · Make sure you are connected to B2C tenant. I would suggest you to create a new user from Azure portal in the B2C tenant and assign global admin role to the user. Make sure the UPN of the new user is Username@yourB2Ctenant.onmicrosoft.com. Connect to MsolService with the new user account and then run the cmdlet.

0 Votes 0 ·

Hi @amanpreetsingh-msft, I have the same problem that @TonyLin-0685, but I don't know how to create a new user in the B2C tenant, because it doesn't have another admin user, as the tenant was created with mine. So, how can I change security defaults? or how can I get the QR code to configure the authenticator.
Thank you in advance.

Fabián

0 Votes 0 ·

Hi @amanpreetsingh-msft,
As you advised, I created a new B2C tenant Global Admin user. I connected to Azure: Connect-Msolservice with this account. Then rerun the comlet you suggested. There is no error from PowerShell. I think that I connected to B2C tenant's AD this time.

I reactivated B2C tenant's default security and switch from main tenant to B2C tenant. A security setting wizard popup. I have scanned the QR code for the special account. Finally, I finished my MS Authenticator migration. Thanks very much.

0 Votes 0 ·