Is it possible to implement Azure AD B2C Auth using ROPC and MFA?
Microsoft docs pretty much explicitly say "no" (bold added by me):
ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password has expired or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent).
So, before I spend countless hours digging around, I was hoping someone here might be able to quickly settle this for me. Is there any way at all to implement MFA using Azure AD B2C ROPC? Or is it, as Microsoft indicates, flat-out "no"?
The main reason I ask is because that same paragraph suggests that ROPC cannot be used when the password needs to be reset - however, we've been able to implement a workaround for that, by using the Graph API to handle resetting of the password.
Presently, the way we are handling authentication is to call CreatePublicClientApplication().AcquireTokenByUsernamePassword(), and the way we are handling password reset is to call the Graph API with a PATCH request, setting the passwordProfile using the new password.
So - is there a way to basically "tell" Azure AD B2C that the MFA has been handled? My theory is perhaps we could do the following:
- User accesses login page
- User enters username and password
- System uses Graph API (or something else) to invoke an MFA request, causing the text message to be sent to user, and stores identifying handshake information for MFA request
- System temporarily stores the info, and then presents the user with a follow-up prompt saying something along the lines of "enter the code you received on your phone"
- User enters code within acceptable time limit
- System sends code to Graph API to validate
- System passes username, password, and handshake information from Step 3 to log user in
You are right, as mentioned in the MsDoc, ROPC will not work for the users who have enabled with MFA. They will be blocked by the application when they try to login.
I enabled MFA for the user like below:
I generated access token using ROPC flow by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
client_id:ClientID
scope:https://graph.microsoft.com/.default
username:ruk@xxxx.onmicrosoft.com
password:Trash33!
grant_type:password
client_secrer:***
And I got the error like below:
To resolve the error, I disabled MFA and access token got generated successfully:
Note that: The workaround you mentioned doesn't satisfy the ROPC flow with MFA enabled users.
Hence as a workaround. make use of any other user interactive flows such as Authorization Code flow, Implicit flow etc to achieve your scenario.
Generated auth-code like below:
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_Signinsignup/oauth2/v2.0/authorize?
&client_id=xxxx
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://b2ctenant.onmicrosoft.com/xxxxx/test.read
&state=12345
Now, I generated access token by using below parameters:
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1_Signinsignup/oauth2/v2.0/token
client_id:xxxx
grant_type:authorization_code
scope:https://b2ctenant.onmicrosoft.com/xxx/test.read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
- Flutter MSAL_js-based (B2C) Authentication fails
- Caching User Single Sign On using Distributed Cache
- How to redirect back to Azure AD B2C defining which custom policy to use based on the username given
- Access token not working Azure AD custom policy
- MSAL login getting stuck in .NET MAUI app
- Sign-up User Flow with Azure B2C and Microsoft.Identity.Web
- Azure AD B2C Password Reset
- Reset password MS Entra
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Retrieving tokens from aad_b2c_webview
- MissingPluginException When Using aad_oauth for Microsoft Multi-Factor Authentication in Flutter
- How to check user exists in AD B2C, using custom policy?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Use managed identity of the web app to manage b2c using graph api
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- no email in claim when logging on via Entra ID
- Azure B2C App Always Redirects to <domain>/MicrosoftIdentity/Account/Error
- How to Implement Direct Username and Password Login with Azure AD B2C in Flutter without Using Microsoft's UI?
- How to properly restrict access to an azur eweb application?
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Set-AzureADMSTrustFrameworkPolicy powershell cmdlet works on laptop but not in github actions. No changes done
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- B2C Custom Policy: Error changing localAccountPasswordReset Content selfAsserted policy version beyond 1.1.0
- Non Verified Domain as IdntifierUri for Azure B2C IEF Application
- B2C authentication not returning access_token
- How to disable authentication during the start up of an ASP.NET Core 5 Blazor B2C application?
- Email address empty when trying to read it out at the back end
- Creating a user in Azure AD B2C through Microsoft SSO
- Azure B2C client credentials flow throws invalid_grant AADB2C90085