search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.25k stars 21.42k forks source link

B2C - conditional access - MFA prompt #85978

Closed EnzoGorlomi23 closed 2 years ago

EnzoGorlomi23 commented 2 years ago

Trying to setup Conditional access MFA for B2C custom policy. B2C is able to detect a risky user but does not prompt for a MFA.

In id_token we are able to see conditionalAccessClaimCollection = mfa but there is no prompt.

Any guidance ? I have not received sufficient support from a support ticket. Any help is appreciated.

`

    <DisplayClaims>
      <DisplayClaim ClaimTypeReferenceId="mfaType" Required="true" />
      <DisplayClaim ClaimTypeReferenceId="readOnlyPhone" />
      <DisplayClaim ClaimTypeReferenceId="readOnlyEmail" />
      <DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
    </DisplayClaims>
    <Actions>
      <Action Id="SendCode">
        <ValidationClaimsExchange>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AzureMfa-SendSmsSimple">
            <Preconditions>
              <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>mfaType</Value>
                <Value>email</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AadSspr-SendCode">
            <Preconditions>
              <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>mfaType</Value>
                <Value>phone</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
        </ValidationClaimsExchange>
      </Action>
      <Action Id="VerifyCode">
        <ValidationClaimsExchange>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AzureMfa-VerifySms">
            <Preconditions>
              <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>mfaType</Value>
                <Value>email</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AadSspr-VerifyCode">
            <Preconditions>
              <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>mfaType</Value>
                <Value>phone</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
        </ValidationClaimsExchange>
      </Action>
    </Actions>
  </DisplayControl>

`

SamaraSoucy-MSFT commented 2 years ago

Hi @EnzoGorlomi23

If you could send an email to my attention to azcommunity@microsoft.com with the support case number I can look into the case and work with the support engineer assigned to resolve it.

The best place for specific answers about implementations are going to be the Microsoft Q&A and Stack Overflow forums if you would like to try to get help from the community- we actively monitor those forums as well.

SamaraSoucy-MSFT commented 2 years ago

I'm going to close the issue here as no updates to the docs are needed.