question

SyedMustafaShah-3325 avatar image
0 Votes"
SyedMustafaShah-3325 asked JohannSpies-5154 commented

Configuring MFA for Azure ADB2C with Authenticator App and invitation based sign in

Hi,
We are developing a portal with ADB2C based authentication.
We are using the invitation based sign in process where admin can enter the details of new users (sign up) and an email is sent to user's email address with an invitation link. Clicking this link takes the user to create password screen and then logs him in.

Now we need to enable MFA (with auth app) for existing users and for new users created from our application.

I have followed the steps mentioned in https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp and and https://medium.com/@snkaushi_9371/enable-totp-based-multi-factor-authentication-in-azure-ad-b2c-84e967d76aa4 articles.

I was able to test the custom policies directly by running them from "Identity Experience Framework" to sign up and sign in with Auth app.

Now the problem is that when I try to Sing in (login) using exiting users. It gives error "Invalid username or password". Moreover, when I try to login using an account created by running the custom policy directly, that account is successfully logged in.

I need help in following aspects

1- How can we customize our existing login policy (build in user flow) for sign in to identify old users and redirect them to Auth app signup screen.
2- How can we implement a custom policy for invitation based sign up that will take the user to Auth app registration screen after creating a password.

Thanks

azure-ad-b2cazure-ad-multi-factor-authenticationazure-ad-conditional-access
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would love to know how you deployed the REST API to Azure App Service. I am stuck and don't know how to deploy it. When I click on the button to automatic deploy nothing happens.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered SyedMustafaShah-3325 commented

Hello @SyedMustafaShah-3325 Please find my comments inline:

1- How can we customize our existing login policy (build in user flow) for sign in to identify old users and redirect them to Auth app signup screen.

In order to identify whether the user is new or old, you can configure the user flow with "User is new" Application Claim, which is returned as "newUser": true claim in the token, if the user has just signed-up for your application. For subsequent sign-ins by that user, this claim will not be returned. As of now built-in user flows support Azure MFA with text message based 2nd factor only. Here is an active feedback link for adding Authenticator support with B2C user flows.

2- How can we implement a custom policy for invitation based sign up that will take the user to Auth app registration screen after creating a password.

Here is a sample for SignUp with email invitation, that you can configure to redirect the users to the policy configured with MFA totp.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SyedMustafaShah-3325 Just checking if you have any further question.

0 Votes 0 ·

Hi,
i was able to customize the signup_invite custom policy in a way that it registers the auth app after setting up the password. THis is all good.

The problem is that when i try to login using the signupsignin custom policy for MFA, it always gives the error
"invalid username or password". it gives this error for the user accounts that we have created by registering the Auth APP too. The strange thing is that if you give a wrong password, then it tell you that "wrong password" (which means policy was able to find the account in AD B2C and is validating the password correctly). But still if the correct username and password is provided. it says "invalid username or password"
can you help in identifying the issue here?

I have attached the custom policy files to help you debug easily.

0 Votes 0 ·

the signupMFA policy that is failing with error "invalid username or password" 25237-signinmfa.xml and 25313-trustframeworkextensions.xml and 25283-trustframeworkbase.xml


0 Votes 0 ·

Hi @amanpreetsingh-msft ,

Any help for the question above?
Any idea for why this "invalid username or password issue" appears even for the correct credentials.

When we try the simple SignIn policy (user flows), it authenticates the user successfully, but whenever we try to use the TOTP signupsignin policy (Custom Policy starter pack); we get this invalid username issue.
Another strange thing is that if we provide invalid password, the TOTP custom policy based flow gives clear error that password is incorrect, which means that it can clearly read the user credentials from the AD B2C user store. But when we give correct credentials, it gives the invalid username issue.

Any ideas ...

0 Votes 0 ·

the signup invitation policy.

25294-signupinvitation.xml


0 Votes 0 ·

The base policy file
25199-trustframeworkbase.xml


0 Votes 0 ·
SyedMustafaShah-3325 avatar image
0 Votes"
SyedMustafaShah-3325 answered

Hi @amanpreetsingh-msft ,

I need a different solution for point 1 i.e.

*> 1- How can we customize our existing login policy (build in user flow) for sign in to identify old users and redirect them to Auth app signup screen.

In order to identify whether the user is new or old, you can configure the user flow with "User is new" Application Claim, which is returned as "newUser": true claim in the token, if the user has just signed-up for your application. For subsequent sign-ins by that user, this claim will not be returned. As of now built-in user flows support Azure MFA with text message based 2nd factor only. Here is an active feedback link for adding Authenticator support with B2C user flows.*

In my case, there are alot of users that are already present in AD B2C user store and are currently logging in to system. Now that we are trying to setup MFA, we want to identify any user that was created already without MFA setup (might have logged in several times already) during login and then take that user to register Authenticator APP screen so that this existing user can also user MFA from next session. Currently what happens is that, when we try to login with existing users. The login screen gives error "Invalid username or password" and doesnot proceed from there.
I am assuming that the custom claim "strongAuthenticationAppCode" is not present for such existing users and that might be causing this invalid username and password issue (not sure, so please share your thoughts on this too).

Therefore, what I would need is to identify and extract the special claim that will tell me if the currently logging in user is MFA enable already or not. Please help me in implementing this in custom policy.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered JamesTran-MSFT commented

@SyedMustafaShah-3325 · For this purpose, you would need to use custom policy as this can't be achieved by using built-in user flows. In case of custom policy, you can create a REST API technical profile which can query Azure AD for the attribute which is getting updated for the users who have registered for MFA in your case. Based on the value of the attribute, you can return an output claim. You can then add an orchestration step to invoke the REST Technical profile in signup/sign-in user journey so that the value of the attribute gets populated during signup/signin.

For Example:

In case of Azure MFA, we can configure the REST Technical Profile to make below call:

https://graph.microsoft.com/beta/me/authentication/methods/3179e48a-750b-4051-897c-87b9720928f7

If the response status is 200 OK, then set a custom claim for instance MFAUser claim as true and if the response is 404 Not Found, send MFAUser claim as false.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SyedMustafaShah-3325
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
RezaeiMohsen-0363 avatar image
1 Vote"
RezaeiMohsen-0363 answered

Hi, i've used https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp and it's working fine. just one question, after user scanned the QR code and register their phone, if they want to use another phone or reset their MFA, how can they get the QR code?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.