AzureB2C user created using Graph API is required to re-register MFA on each login

Question

We are having some login issues with AzureB2C users created using the Graph API. The Graph API uses client/secret credentials to add the user. When the user tries to login he/she is prompted to register MFA (TOTP). At the next login the prompt appears again to register MFA. In the audit logs we clearly see a 'Microsoft.Online.Workflows.ValidationException' after registering the TOTP secret. No further details are present.

When the exact same user is entered directly in AzureB2C then everything is going fine. There are no differences, except the entity who created the user.

App registration

• api permission include:
  • Application.Read.All
  • Group.ReadWrite.All
  • offline_access
  • openid
  • Policy.Read.All
  • Policy.ReadWrite.All
  • User.Invite.All
  • User.ReadWrite.All

User flow

• MFA Type of method: Authenticator app - TOTP
• MFA Enforcement: Conditional
• Enforce conditional access policies: Yes

Conditional access policy

• Applied on specific users/groups
• Target resource; app
• Grant access, require mfa

Details of the exception in the Audit log when the user registers MFA:

• Service: Core Directory
• Category: UserManagement
• Activity: Update user
• Status: failure
• Status reason: Microsoft.Online.Workflows.ValidationException
• Initiated by actor:
  • Type: Application
  • Displayname: Azure MFA StrongAuthenticationService

Code to add the user

    var requestBody = new User
    {
        DisplayName = orgUser.Displayname,
        GivenName = orgUser.FirstName,
        Surname = orgUser.Surname,

        Identities =
        [
            new ObjectIdentity
            {
                SignInType = "emailAddress",
                Issuer = Globals.AzureDomainName,
                IssuerAssignedId = user.Email,
            },
        ],

        PasswordProfile = new PasswordProfile
        {
            Password = password,
            ForceChangePasswordNextSignIn = false,
        },
        PasswordPolicies = "DisablePasswordExpiration,DisableStrongPassword",
    };

    var result = await _graphClient.Users.PostAsync(requestBody);

Creating the user via AzureB2C portal creates a user with a proper working MFA experience. When creating the exact same user via Graph API it experiences problems with registering the MFA cuasing the user to require registering it on each login.

Answer 1

The app registration used to add users using Graph API was missing some settings.

Step 1: In Azure AD B2C:

• Go to Roles and Administrators
• Scroll down to 'User Administrator'
• Click on three dots -> Description
• Go to Manage -> Assignments
• Click on + Add assignments
• Enter the first couple of characters of the App name (it is not listed automatically for your convenience)
• Select the app, click Add

Step 2: In Azure AD B2C (update: probably not needed)

• Go to App registrations

• Select the app from the list

• Go to Manage -> Manifest

• Add appRoles for Application Admin and Application User

    "appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Admin",
        "displayName": "Admin",
        "id": "some-guid-here",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Admin"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "User",
        "displayName": "User",
        "id": "some-guid-here",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "User"
    }
  

  ],