question

AnushaPrashangi-4224 avatar image
0 Votes"
AnushaPrashangi-4224 asked amanpreetsingh-msft commented

MFA Authentciation- Externally provide instruction to execute the MFA

I have a setup which has authentication done by AzureB2C and AzureB2E IDP using OpenID connect protocol. From my code, I'm implementing the Federation hub, there is no user information persist, authentication done by the Identity providers like AzureB2C, AzureB2E or any other IDP. It is working fine Basic authentication.

Now, I want to give the instruction to execute the MFA or basic authentication for the Azure AD based on the some factors which is derived in my federation logic. Here, I'm going to give instruction using acr_values [https://openid.net/specs/openid-connect-eap-acr-values-1_0.html] to perform relevant MFA. Example, User A, I want to execute OTP authentication after Basic authentication complete. User B, I want to perform fido authentication after basic authentication is completed. User C, I want to execute basic authentication only. As all the user information available in the Azure side, is that possible to send instructions to execute all MFA step by one authentication request using additional parameters like acr_values or any other approach through OpenId Connect protocol.

So could you please give me how to achieve above requirement from the Azure IDP side to execute MFA using dynamic instruction provide externally.



azure-ad-openid-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @AnushaPrashangi-4224 · Thank you for reaching out.

MFA can be enforced by using Conditional Access Policies configured in B2C tenant. This requires Azure AD Premium P1 license. You may include and exclude specific set of users from the CA Policy.

If you are using User Flow, make sure it is configured with below settings:
103404-image.png

Then configure Conditional Access policy with below option.
103369-image.png

Read more:

As of now Custom Controls option is not available in B2C, which allows integration of third party MFA providers. Which is why you are limited to the MFA methods available in B2C tenant.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (128.6 KiB)
image.png (8.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft, Thanks for the quick response.

That mean above requirement cannot implement using any azure licence type that externally MFA method decide and perform the execution accordingly by the Azure AD for the Azure B2C or B2E tenants. Could you please confirm that whether I understood it correctly?

0 Votes 0 ·

Hi @AnushaPrashangi-4224 · Yes, there is no specific license to integrate 3rd party MFA with Conditional Access Policy.

However, you can use Custom Policy to integrate Authy App for MFA with B2C. Here is the custom policy sample for your reference: https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-authy-app

Note: This sample is in private preview and must be well tested before using in production environment.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 Votes 0 ·