Allow MFA to be enabled for selected set of B2C users
We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.
We would like more specifics on this scenario. How would you user to self identify for MFA?
Kapil Jethava commented
Any update on this thread?
It seems like MFA on B2C doesn't have nearly all the features of MFA on Premium AD. No conditional access, no blocking, one-time pass, no option to disable for certain users (for automated tests for example). It's all very confusing to be honest.
Kenny Scelfo commented
We would like our users to have a choice to enable MFA for themselves instead of forcing it on all users of a given application. It seems like you can enable MFA using the MFA link in the All Users section of AD B2C, but all subsequent attempts to log in fail with an error indicating that the user must register for MFA. The link provided by the process to enable MFA on the user (https://aka.ms/MFASetup) does not work with Azure AD B2C local accounts, as it appears to be expecting Microsoft Accounts or Azure AD (non-B2C) accounts.
This can help with service account scenarios or automated test scenarios, where we cannot use MFA from other app. E.g. I have an application which calls API hosted in Azure and secured with B2C. As this application needs to run without any user interaction periodically, it cannot use MFA. So I want to disable MFA for this service account (which is registered in B2C ), while other normal users continue to use MFA.
The scenario is simple. We have some customers who do not want MFA and some who do. Currently a policy is all or nothing.
The AAD B2C admin should be able to enable MFA on a given user or group, just like it is possible in AAD or O365. Currently, it is coupled to the Flow for all apps or users using a given flow.
Jivago Pecharki commented
Hi, any updated on it?
I agree with Ruan. We need something like conditional MFA. We would like to disable MFA for users who use their Azure AD account we configured in B2C as federated AAD. If we are able to disable MFA for certain IP's or groups and enable it for the rest, this problem is solved for us.
Perhaps approach this from the other side. If MFA is enabled on the B2C tenant by means of a policy (ie. sign-in) then it applies to all users in the directory. An option to turn off MFA for some users (or a group) would be nice. We have automation tests across our platforms and MFA stops us from delivering a system with these tests while not having MFA poses security risks(but allows for automated testing). Turning off MFA for our test accounts only can help with this.