microsoft-graph-apiazure-ad-b2cazure-ad-b2c-custom-policymulti-factor-authentication

Remove / Reset Azure AD B2C User MFA Option


We are currently using Custom Policies to manage the user journey for Sign Up / Sign In, as well as for Reset Password. As part of this process, we've enabled the MFA Phone / SMS option. Using the fabulous instructions we found on Wojtek's blog, we configured the journey initially using the User Flow setup, and then exported it to reverse-engineer using a Custom Policy, due to various requirements that could not be accomplished using the OOTB User flow.

We're now trying to add a feature to our application that will allow the user to reset their MFA option. The feature will be presented to the user on their profile page, and will simply be a button that will, internally, call the MS Graph API GET Phone Authentication Methods endpoint, and then iterate through the returned values and call the DELETE Phone Authentication Methods endpoint to remove them, after which on the next sign-in, the user will be prompted to add an MFA option (as they did when signing up).

The problem is that calling the aforementioned GET endpoint returns an empty result set. Digging further, calling the GET Authentication Methods endpoint yields only one result - namely, password authentication, which is their primary authentication method.

Searches for solutions to this haven't yielded much, with the exception of this Microsoft Learn thread detailing our exact problem. As mentioned in that thread, the default Azure AD B2C MFA implementation writes the data to the "Old Authentication Methods" UI. In that thread, the MSFT representative essentially said "sorry, but there's nothing you can do". Another similar question yielded a similar answer. My question is - in the ~8 months since that thread was created, has anything changed?

Namely,

  1. Is there a way to modify the Custom Policy to have the phone authentication method written to the "New Authentication Methods", which would allow us to use our original approach to remove them? The second Microsoft Learn thread linked above indicates that if there was a space between the country code and phone number, it would work properly - and indeed, testing this out by manually changing the number in Azure AD B2C, this works perfectly. But we're pretty new at the Custom Policy thing, so we're not sure how to go about that. Alternatively,
  2. Is there a way to read the "Old Authentication Methods" using the MS Graph API for Azure AD B2C?

Old Authentication Methods

EDIT 1

This stackoverflow thread seems to indicate a potential hack-ish workaround: POST a dummy MFA phone number, then DELETE the dummy phone number. I'll give that a try, but in the interim I'd love to know if there are any "proper" solutions.

EDIT 2

Confirmed that the solution from that other thread works, however, I'd still like to see if anyone else has other options.


Solution

  • It's been long enough now that I'll just mark this one as answered via the solution proposed here: Bug identified in Azure B2C MFA phone number format (missing spaces)

    Very surprising that MSFT hasn't fixed this problem on their end yet.