question

MunazzaOsama-2843 avatar image
0 Votes"
MunazzaOsama-2843 asked AnshulKumarMINDTREELIMITED-5501 commented

Apply MFA on force Reset Password on first login

i have applied MFA on sign up only using LocalAndSocialAccountMFA started pack, and also force password reset on first login using gitHub sample: force-password-reset-first-logon



i want to add MFA also when user first login and forced to change his password.

any guide would be much appreciated.
thanks

azure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
ManuPhilip avatar image
0 Votes"
ManuPhilip answered MunazzaOsama-2843 commented

You may use a workaround as below (There can be another ideas too). The script can be used as the part of onboarding the users
Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

is there any way to do with custom policy, as i am not using power shell commands
and used the LocalAndSocialAccountMFA started pack
of custom policies.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @MunazzaOsama-2843 · Thank you for reaching out.

Could you please try to add below orchestration steps in the signup/signin user journey (that your RP file is referring to) within B2C_1A_ForcePasswordReset_TrustFrameworkExtensions policy file, just before the last orchestration step which is to issue the JWT token.

 <OrchestrationStep Order="8" Type="ClaimsExchange">
           <Preconditions>
             <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
               <Value>isActiveMFASession</Value>
               <Action>SkipThisOrchestrationStep</Action>
             </Precondition>
           </Preconditions>
           <ClaimsExchanges>
             <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
           </ClaimsExchanges>
         </OrchestrationStep>
    
         <OrchestrationStep Order="9" Type="ClaimsExchange">
           <Preconditions>
             <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
               <Value>newPhoneNumberEntered</Value>
               <Action>SkipThisOrchestrationStep</Action>
             </Precondition>
           </Preconditions>
           <ClaimsExchanges>
             <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
           </ClaimsExchanges>
         </OrchestrationStep>


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MunazzaOsama-2843 avatar image
0 Votes"
MunazzaOsama-2843 answered

hi @amanpreetsingh-msft , thank for your reply, but i have already implemented the MFA following [SocialAndLocalAccountsWithMfa][1]
[1]: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccountsWithMfa

i wanted to apply MFA only on Signups for this i added newUser precondition in MFA it worked, but when i added another precondition of extension_mustResetPassword for applying MFA on ForesesetPassword on First login
<OrchestrationStep Order="10" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>newUser</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> <Value>extension_mustResetPassword</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>isActiveMFASession</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> it works only if one condition is true in want MFA for both, i wanted:
1: MFA on sign up only
2:no MFA on sign In
3:MFA on first Sign in for force password reset.
what i think newUser attribute and extension_mustResetPassword are conflicting each other as when extension_mustResetPassword is true newUser is false and it skips the MFA.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.