Azure AD B2C associate user flow with an app one-to-one

0
votes

While researching how to require multi-factor auth for a specific app, I came across this challenge:

  • It's possible to create User flows (policies) in Azure AD B2C that would either require MFA or not
  • It's possible to use any of the user flows in any application. Selecting the user flow is done client-side in the provided samples, so it would be relatively easy to go around the MFA requirement by just using a suitable user flow. This can be guessed or found in another app.

Is there a way to require an app to use a specific user flow or restrict a user flow to be used with specific apps?

More information:

2
azuresingle-page-applicationazure-ad-b2cflow

2 Answers

2
votes

In Azure AD B2C, you aren't able to constrain an app to a flow or vice versa, however a given app can ensure that a specific flow was executed by validating the tfp claim in the ID token that is issued to it.

The tfp claim is set to the name of the policy (e.g. b2c_1_signupsignin1) that was executed to acquire the ID token.

0
votes

If someone needs this today, it's achievable with custom policies by overriding JwtIssuer technical profile and adding a metadata item for "IssuanceClaimPattern" .