We are currently using Custom Policies to manage the user journey for Sign Up / Sign In, as well as for Reset Password. As part of this process, we've enabled the MFA Phone / SMS option. Using the fabulous instructions we found on Wojtek's blog, we configured the journey initially using the User Flow setup, and then exported it to reverse-engineer using a Custom Policy, due to various requirements that could not be accomplished using the OOTB User flow.
We're now trying to add a feature to our application that will allow the user to reset their MFA option. The feature will be presented to the user on their profile page, and will simply be a button that will, internally, call the MS Graph API GET Phone Authentication Methods endpoint, and then iterate through the returned values and call the DELETE Phone Authentication Methods endpoint to remove them, after which on the next sign-in, the user will be prompted to add an MFA option (as they did when signing up).
The problem is that calling the aforementioned GET
endpoint returns an empty result set. Digging further, calling the GET Authentication Methods endpoint yields only one result - namely, password authentication, which is their primary authentication method.
Searches for solutions to this haven't yielded much, with the exception of this Microsoft Learn thread detailing our exact problem. As mentioned in that thread, the default Azure AD B2C MFA implementation writes the data to the "Old Authentication Methods" UI. In that thread, the MSFT representative essentially said "sorry, but there's nothing you can do". Another similar question yielded a similar answer. My question is - in the ~8 months since that thread was created, has anything changed?
Namely,
This stackoverflow thread seems to indicate a potential hack-ish workaround: POST
a dummy MFA phone number, then DELETE
the dummy phone number. I'll give that a try, but in the interim I'd love to know if there are any "proper" solutions.
Confirmed that the solution from that other thread works, however, I'd still like to see if anyone else has other options.
It's been long enough now that I'll just mark this one as answered via the solution proposed here: Bug identified in Azure B2C MFA phone number format (missing spaces)
Very surprising that MSFT hasn't fixed this problem on their end yet.