Multi-factor auth in B2C does not persist telephone number


  • Hi,

    After creating a new account and providing the telephone number for MFA, Azure now keeps prompting for the telephone number at each subsequent login. That mostly defeats the purpose of MFA : (. It stopped working somewhere in the last couple of weeks. It worked ok previous months. No configuration changes on our side. We have MFA turned on the B2C policy. We did at some point turn MFA in the classic portal when we created the Azure AD instance. That option is now gone from the classic portal (under Config). Is there a bad side effect from that setting now no longer being available?

    Wednesday, March 15, 2017 2:26 PM

All replies

  • You can find the Multi-Factor Authentication settings for the B2C Tenants in the new Azure Portal.

    Reference Documents:

    1. Azure Active Directory B2C: Enable Multi-Factor Authentication
    2. Azure Active Directory B2C: Extensible policy framework

    Thursday, March 16, 2017 5:54 AM
  • Hi,

    Those are the steps I followed. First time you login as that user, you get prompted for entering a phone number to perform MFA. When you complete that process, then logout and then login again as that user, you get prompted again for the phone number. When the second factor does not persist, it lowers the security profile considerably.

    I think the underlying problem might be that the requirement for the phone field in 'authentication contact info' has changed (under user profile of the user). MFA seems to set that phone number to +11234567890 , but the UI validation no longer accepts that input, it requires +1 1234567890 (notice the space between country code and number)

    Update: After manually changing the telephone number to the correct format it appeared to stick. So it appears that it could very well be MFA setting the phone number on the profile with an invalid format.

    • Edited by mrent Thursday, April 13, 2017 4:54 PM
    Tuesday, April 11, 2017 5:06 PM