ad b2c allow user to change MFA setting

Question

how would I allow the user to change their MFA setting like their phone number? I don't see any option for them to be able to do that easily.

Answer 1

Apparently, user's can't do that as stated by Saca

Admins can do this on the user's behalf via the Azure Portal though:

Users -> All users -> Pick the user you're interested in -> Update Phone under Authentication contact info

Answer 2

Try this. B2C MFA reset was the reason I wrote it. http://gordon.byers.me/azure/resetting-a-users-azure-ad-multi-factor-mfa-requirement/

As it's powershell you could put it inside an Azure function and call it via HTTP to allow the user to self serve.

Answer 3

Looks like this is now possible with custom policies.

There is a full example here: https://github.com/azure-ad-b2c/samples/tree/master/policies/edit-mfa-phone-number

In case the link breaks, the key part appears to be this:

  <TechnicalProfiles>
    <TechnicalProfile Id="PhoneFactor-EditAndVerify">
      <DisplayName>PhoneFactor</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.phonefactor</Item>
        <Item Key="ManualPhoneNumberEntryAllowed">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
        <OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    </TechnicalProfile>

Answer 4

Currently it is not possible to change an Azure AD B2C users' MFA settings.

There's already an ask for this ask in the Azure AD B2C forum that you should vote for: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334329-change-security-info

Answer 5

The MFA phone number can be changed with custom policies. When you create a UserJourney that invokes a TechnicalProfile that does not take the strongAuthenticationPhoneNumber as InputClaim, IEF acts as if the user registers for MFA for the first time.

Of course you need to think about security measures, since it is a second factor that the user changes (e.g. ask the user to input some data, that can be validated, before allowing the user to change the phonenumber). Otherwise the use of MFA makes no sense.