Allow MFA to be enabled for selected set of B2C users
We would like users to choose if they want MFA enabled, and therefore a policy should trigger MFA only if the user or admin opts in for it.
We would like more specifics on this scenario. How would you user to self identify for MFA?
Robert van der Kleij commented
Our scenario is that we have users that have diferent access roles in one of the applications. Some of those roles are a priviliged account (admin or access to more data then other users). We would like to have the option to have one user flow/custom policy where we can specify which users for that policy need to logon via MFA. There are several ways to accomplish this:
- MFA bases on a filter for a certain group of users based on one of the profile proporties
- MFA per user
Anuar Nurmakanov commented
Do you have any feedback so far? I can help you to find one scenario:
* We have MFA enabled for one of our applications
* But we have some tests (some kind of tests) that work without humans. So we need something that will let theses tests to pass MFA.
Bring Premium AD MFA features to B2C, all or nothing on policy level is not good enough.
Kapil Jethava commented
Any update on this thread?
It seems like MFA on B2C doesn't have nearly all the features of MFA on Premium AD. No conditional access, no blocking, one-time pass, no option to disable for certain users (for automated tests for example). It's all very confusing to be honest.
Kenny Scelfo commented
We would like our users to have a choice to enable MFA for themselves instead of forcing it on all users of a given application. It seems like you can enable MFA using the MFA link in the All Users section of AD B2C, but all subsequent attempts to log in fail with an error indicating that the user must register for MFA. The link provided by the process to enable MFA on the user (https://aka.ms/MFASetup) does not work with Azure AD B2C local accounts, as it appears to be expecting Microsoft Accounts or Azure AD (non-B2C) accounts.
This can help with service account scenarios or automated test scenarios, where we cannot use MFA from other app. E.g. I have an application which calls API hosted in Azure and secured with B2C. As this application needs to run without any user interaction periodically, it cannot use MFA. So I want to disable MFA for this service account (which is registered in B2C ), while other normal users continue to use MFA.
The scenario is simple. We have some customers who do not want MFA and some who do. Currently a policy is all or nothing.
Richard Hubert commented
The AAD B2C admin should be able to enable MFA on a given user or group, just like it is possible in AAD or O365. Currently, it is coupled to the Flow for all apps or users using a given flow.
Jivago Pecharki commented
Hi, any updated on it?
I agree with Ruan. We need something like conditional MFA. We would like to disable MFA for users who use their Azure AD account we configured in B2C as federated AAD. If we are able to disable MFA for certain IP's or groups and enable it for the rest, this problem is solved for us.
Perhaps approach this from the other side. If MFA is enabled on the B2C tenant by means of a policy (ie. sign-in) then it applies to all users in the directory. An option to turn off MFA for some users (or a group) would be nice. We have automation tests across our platforms and MFA stops us from delivering a system with these tests while not having MFA poses security risks(but allows for automated testing). Turning off MFA for our test accounts only can help with this.