We have a Sign-Up only custom policy with a phone factor step to collect an MFA phone number. The phone factor page is pretty close to the samples.
We are using the multifactor:1.2.5 data URI and have localization entries added for errors like the Localization string IDs document:
error_tryagain, error_sms_throttled, error_phone_throttled, error_throttled, error_incorrect_code
After we press the resend SMS code link many times the SMS messages eventually stops sending, and in the Azure portal's user history we can see that azure encountered an error: "There are too many requests at this moment. Please wait for some time and try again." I would think this should appear on the screen, but there is no throttled message presented to the user. Is there something we are missing, or should we not expect an error to appear in this case? Other localizations on the page are working fine.
<!-- PhoneRegisterOrMFAPage -->
<ContentDefinition Id="api.partners.phoneRegisterOrMFAPage">
<LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5</DataUri>
<Metadata>
<Item Key="DisplayName">Multi-factor authentication page</Item>
</Metadata>
</ContentDefinition>
<TechnicalProfile Id="PhoneRegisterOrMFAPage">
<DisplayName>PhoneFactor</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.partners.phoneRegisterOrMFAPage</Item>
<!-- Setting the below to true, so the same profile can be used for phone MFA, or phone registration. Will avoid coming here when doing MFA and no phone -->
<Item Key="ManualPhoneNumberEntryAllowed">true</Item>
<Item Key="setting.authenticationMode">sms</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
<InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
<OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<LocalizedResources Id="api.partners.phoneRegisterOrMFAPage.en">
<LocalizedStrings>
...
<LocalizedString ElementType="UxElement" StringId="error_tryagain">EN-The phone number you provided is busy or unavailable. Please check the number and try again.</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="error_sms_throttled">EN-You hit the limit on the number of text messages. Try again shortly.</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="error_phone_throttled">EN-You hit the limit on the number of call attempts. Try again shortly.</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="error_throttled">EN-You hit the limit on the number of verification attempts. Try again shortly.</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="error_incorrect_code">EN-The verification code you have entered does not match our records. Please try again, or request a new code.</LocalizedString>
...
</LocalizedStrings>
</LocalizedResources>
I don't think there is a built in way to show the error to the user, you will need to create a custom rest api that will handle the rate limiting for you and then create a custom policy in Azure AD B2C which will include the rest api technical profile to call your rate limiting api. then you will need to update the phone factor auth page to the display the custom error message.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile