Remove / Reset Azure AD B2C User MFA Option
We are currently using Custom Policies to manage the user journey for Sign Up / Sign In, as well as for Reset Password. As part of this process, we've enabled the MFA Phone / SMS option. Using the fabulous instructions we found on Wojtek's blog, we configured the journey initially using the User Flow setup, and then exported it to reverse-engineer using a Custom Policy, due to various requirements that could not be accomplished using the OOTB User flow.
We're now trying to add a feature to our application that will allow the user to reset their MFA option. The feature will be presented to the user on their profile page, and will simply be a button that will, internally, call the MS Graph API GET Phone Authentication Methods endpoint, and then iterate through the returned values and call the DELETE Phone Authentication Methods endpoint to remove them, after which on the next sign-in, the user will be prompted to add an MFA option (as they did when signing up).
The problem is that calling the aforementioned GET endpoint returns an empty result set. Digging further, calling the GET Authentication Methods endpoint yields only one result - namely, password authentication, which is their primary authentication method.
Searches for solutions to this haven't yielded much, with the exception of this Microsoft Learn thread detailing our exact problem. As mentioned in that thread, the default Azure AD B2C MFA implementation writes the data to the "Old Authentication Methods" UI. In that thread, the MSFT representative essentially said "sorry, but there's nothing you can do". Another similar question yielded a similar answer. My question is - in the ~8 months since that thread was created, has anything changed?
Namely,
- Is there a way to modify the Custom Policy to have the phone authentication method written to the "New Authentication Methods", which would allow us to use our original approach to remove them? The second Microsoft Learn thread linked above indicates that if there was a space between the country code and phone number, it would work properly - and indeed, testing this out by manually changing the number in Azure AD B2C, this works perfectly. But we're pretty new at the Custom Policy thing, so we're not sure how to go about that. Alternatively,
- Is there a way to read the "Old Authentication Methods" using the MS Graph API for Azure AD B2C?
EDIT 1
This stackoverflow thread seems to indicate a potential hack-ish workaround: POST a dummy MFA phone number, then DELETE the dummy phone number. I'll give that a try, but in the interim I'd love to know if there are any "proper" solutions.
EDIT 2
Confirmed that the solution from that other thread works, however, I'd still like to see if anyone else has other options.
It's been long enough now that I'll just mark this one as answered via the solution proposed here: Bug identified in Azure B2C MFA phone number format (missing spaces)
Very surprising that MSFT hasn't fixed this problem on their end yet.
- Why is C# app unable to enroll device into MS Intune via Microsoft graph API?
- Remove / Reset Azure AD B2C User MFA Option
- Case sensitive in VB.NET
- Create an online event using Microsoft Graph that links to an existing Teams meeting
- Internal server error when trying to send an email using Microsoft Graph API
- Graph API v5 upload file to sharepoint
- Get all user properties from Microsoft graph
- Privileged Identity Management - My roles
- Get User by email address using Microsoft Graph API
- Fetch a file from Office365 sharepoint graph api with a sharing link
- Microsoft Graph: How to filter users by domain name
- Blazor app hangs after request MS Graph Me.GetAsync()
- Graph API: Either scp or roles claim need to be present in the token
- How do I authorize a Python script to upload to SharePoint Online?
- Cannot fetch the customSecurityAttributes data from Entra ID user Profile using Microsoft Graph API in Dotnet Webapi
- How can I change default tenant in Microsoft Graph Explorer
- PnP Framework assign Permission to the SharePoint Using PowerCell
- How to access a group calendar using Microsoft Graph Api?
- getting color off calendar in microsoft graph api in calendarview
- Adding Students with the API and Class Notebook
- How to find the delay when I reset a password using Microsoft's Graph API?
- GraphServiceClient filter issue
- Verify Microsoft Access token on my ASP.NET Core Web API
- Microsoft Graph: List all users and their groups in one request
- How to handle scalability when sending DM with BotFramework
- How can I add email recipients to a Graph API request programmatically?
- Microsoft Identity Web: Change Redirect Uri
- Azure graph api to search groups whose displayName contains a specific term
- I am getting an error that OAuth2 Code has already been redeemed
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'