B2C User Flows - Profile editing v2 - Multifactor Authentication

2020-02-12T21:14:02.71+00:00

I'm running into a problem with B2C User Flows. Specifically, the "Profile editing v2" flow as it relates to Multifactor Authentication (MFA). It seems there is no way to toggle MFA on or off for the "Profile editing v2" flow (or the v1 version, for that matter). When I create this flow, MFA just defaults to "Disabled", as seen here.

2825-1.png

Also, note that there is no MFA option in this flow's list of Page Layouts.

2826-2.png

As compared to this "Password reset v2" flow which does allow MFA to be turned on and provides the respective Page Layout for that.

2833-3.png

The fact that the "Profile editing v2" flow doesn't offer a MFA Page Layout option would be fine if, when running the flow, the MFA screen wasn't still triggered. However, a MFA page is definitely appearing when I test run the User Flow.

After some experimenting, I've concluded that these User Flows operate independently. For example, the "Profile editing v2" flow has a "Sign In" Page Layout, but it is unrelated to any settings one might have in their actual "Sign In" User Flow. I tested this by disabling MFA on all User Flows, but this MFA screen still appears on this flow. So, it doesn't appear that flow X calls flow Y which uses the configuration set there. Instead, it seems that flow X must have these sub pages like X.a, X.b, X.c. If one sub-page is missing, you get unexpected results. This is also true of "Profile editing v1". It doesn't even have a "Sign In" Page Layout which causes it to display an even older Microsoft branded "Sign In" screen.

It makes sense that the "Profile editing v2" flow's Page Layouts section doesn't contain a MFA option since it's impossible to turn on MFA for the "Profile editing v2" flow. However, the fact that MFA is still triggered in this flow is unexpected, and I don't know how to fix. This is a problem for me since I'm using custom HTML/CSS to brand each User Flow to my company's standards, and suddenly, without any control, this completely unbranded MFA screen appears. This seems like an oversight/bug. It should also be noted that this MFA page appears even when I don't use my custom HTML/CSS and simply use the default template. I have additionally made sure to clear my browser cache when running these tests.

Has anyone encountered this, or know of a fix or workaround?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,610 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-02-13T06:50:37.91+00:00

    @itscoolicanchangethislaterright-6283
    You are right, we cannot enable MFA using Profile Editing policy. But, if authentication phone is already configured on User Account, user gets prompted for MFA otherwise there will not be any MFA prompt. However, the customization options should have been there to provide same look and feel for entire flow. This definitely seems like an oversight. I would suggest you to post this at feedback.azure.com.

    Workaround:
    The only workaround in this case would be to use custom policy. In TrustFrameworkBase.xml, you can specify the URL of your custom html under content definition for api.phonefactor at LoadUri parameter as highlighted below:

    2981-capture.jpg

    Now if the RP files such as SignuporSignin.xml or PassworReset.xml or ProfileEdit.xml chain up to the above TrustFrameworkBase.xml file, same MFA page will be provided.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.


0 additional answers

Sort by: Most helpful