Azure Active Directory B2C with Multi Factor Authentication - queries to integrate in website

4
votes

I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD), I checked its documentation and some code samples, then I knew that Azure AD B2C have some of features which suits my requirement,

NOTE - I only need MFA feature from Azure AD B2C,

I tried this sample code provided in official docs, https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa

But I have some of queries:

1) Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?

2) In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)

3) There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)

4) From where can I decide, which type of user will be registered? because the code which I have tried, doesn't mention about user type, (Actually I want to know that is there any param or option in user-flow, which can decide type of user, which will be registered through this flow)

Any help or suggestions will helpful for me,

Thanks in advance,

1
azureazure-active-directoryazure-ad-b2c
I created an user flow for sign in and sign up, and run it through Azure Portal by clicked on "▶ Run user flow", in that flow if I click on Forgot your password? link, then it redirect me to Reply URL, with a message The user has forgotten their password., So it is possible to redirect flow to Reset Password, whenever click on Forgot your password??Herry Shawn
So far I know you only add 1 external reply URL in your application which will come up on user flow dropdown. In this aspect you cannot because password reset option send you the code to your email as you have enabled `MFA'. You can take a look here docs.microsoft.com/en-us/azure/active-directory-b2c/…Md Farid Uddin Kiron
Hmm, Thanks, you are right, I need to manually redirect user to reset password flow, by identifying response from Sign in/Sign up flow, Also please help me to figure out that how can I identify from response that which user was authenticated through Azure MFA, Here is the response at jwt.ms Response, Can I use emails key to identify authenticated user? Is it reliable?Herry Shawn
And here is my main goal Please click on meHerry Shawn
I am looking into it. But if the given answer was helpful regarding your previous question , you could mark it as answer to help other beside I am figuring out your new plan also. As your new plan is to long to answer in comment , I would suggest you to rise new question to answer in details, you know comment has limited character bindings. ThanksMd Farid Uddin Kiron

1 Answers

2
votes

1. Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?

Yes you can restrict new user to sign and sign up using MFA. For that need to enable MFA. Its global MFA for all. See the screen shot below.

Custom User Flow and Multi factor authentication

Note: You can also implement MFA for each individual user.

See the screen shot below for Individual MFA

enter image description here

Once you implement MFA you would be prompted to verify your phone number like below

enter image description here

Note:

For Testing MFA Userflow need native application on application drop down

See the screen shot below

enter image description here

2. In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)

Yes you can customize your user flow. You can add new user flow according to yours.

To do that, Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C

Then In the left menu, select User flows, and then select New user flow

See the screen shot below:

enter image description here

3. There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)

In short Work account has the more privileged in B2C tenant as the official document says. As consumer account cannot access some resource on portal. For accessing Microsoft Graph API Guest user has some restriction even on azure portal.

Note: As per your requirement I would suggest you to go with Work account which has some benefits while you would access Microsoft API

Though the account type mostly depend on your business needs but Work Account more useful comparing all aspect.

Let's say, If you want to add some user those who already registered some other organization but you need to add them in your particular application privilege. So need to add user as Guest privilege.

4. From where can I decide, which type of user will be registered?

Tough the question is bit confusing as I said earlier it would depend on your business needs. Work account usually best for tenant user. So when you feel within on your tenant if new user need to add so go with Work account. Once you specify your need it would definitely easier for you which kind of user you need to add. There is no such reference which can explain well upto to now.

Note: You could try adding all the user type to check how the user account behave using portal and accessing resources.