I want to give users a choice between TOTP in the Microsoft Authenticator app or OTP via phone and email. I'm working with custom policies and currently have a separate set of policies for each method of MFA that work, but I can't quite figure out how to combine them.
One set of policies uses the Microsoft Authenticator app and the other uses phone/email to verify the user. (I know phone/email aren't recommended, but I'm working under requirements.)
The policies are the same except for the method of MFA and there are no local accounts, only external IDPs.
Right now, once a user authenticates using an IDP, they are redirected to either MFA via text/email or Authenticator app depending on the policies.
I want them to have a choice of MFA method, so I'm assuming I need to create a custom page for users to be able to select their preferred method? Sorry, I know this is a super broad question. I know how to do it from a technical standpoint, but I'm having trouble visualizing point A to point B. Thank you
There are two options to achieve this.
Present both enrolment options on screen and show/hide the preferred method using JavaScript and custom UI.
Alternatively, a more common approach is to have a selection screen asking the user to choose upfront if they want to use phone or an authenticator app for MFA.
You can view a sample of similar code that allows user to MFA email or phone and substitute the email MFA technical profile with your authenticator technical profile.
Here are some examples of the changes you'd need to make to that sample:
extension_mfaByPhoneOrEmail
to extension_mfaByAuthenticatorOrEmail
extension_mfaByAuthenticatorOrEmail
(previously extension_mfaByPhoneOrEmail
), change Email
to Authenticator
EmailVerifyOnSignIn
technical profile with your authenticator technical profile