How can we improve Azure Active Directory?

Allow MFA to be enabled for selected set of B2C users

We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.

22 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

AdminAzure AD Team (Software Engineer, Microsoft Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Karl commented  ·   ·  Flag as inappropriate

    The scenario is simple. We have some customers who do not want MFA and some who do. Currently a policy is all or nothing.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The AAD B2C admin should be able to enable MFA on a given user or group, just like it is possible in AAD or O365. Currently, it is coupled to the Flow for all apps or users using a given flow.

  • Robbie commented  ·   ·  Flag as inappropriate

    I agree with Ruan. We need something like conditional MFA. We would like to disable MFA for users who use their Azure AD account we configured in B2C as federated AAD. If we are able to disable MFA for certain IP's or groups and enable it for the rest, this problem is solved for us.

  • Ruan commented  ·   ·  Flag as inappropriate

    Perhaps approach this from the other side. If MFA is enabled on the B2C tenant by means of a policy (ie. sign-in) then it applies to all users in the directory. An option to turn off MFA for some users (or a group) would be nice. We have automation tests across our platforms and MFA stops us from delivering a system with these tests while not having MFA poses security risks(but allows for automated testing). Turning off MFA for our test accounts only can help with this.

Feedback and Knowledge Base