6

I have currently implemented the following with custom policies in my Azure AD B2C:

  • The user signs in with their Office or Google account.
  • If they have 2FA enabled on their social account, they authenticate themselves.
  • They get send back to B2C and get asked for the B2C 2FA (I do not want this, if they already did 2FA on their social account)

Is there any way to implement it so that users must authenticate twice instead of three times? I want to keep 2FA if users have not set it up for their social accounts.

For example, is it possible to check if 2FA was used on the social sign in? Or is it possible to enforce 2FA on social account sign ins?

I have used the following templates for my setup:

Tim Chermin
  • 304
  • 2
  • 10
  • 2
    Interesting case, but seems like external idp would have to return information whether MFA was used or not on its side. – kamilz Apr 06 '22 at 12:44
  • @tim-chermin did you manage to get it working? we have encountered a similar use case where external IdP is Azure AD and users who has already done their MFA should not be asked to do the MFA again after returning to the b2c user flow. – Bhushan Sep 16 '22 at 11:53
  • @Bhushan sadly, no I did not get it to work. Although I did give up a couple of weeks after posting the question, there may have been some changes in the meantime. I might look into it again in the next couple of months. If you find anything, would appreciate it if you let me know. – Tim Chermin Sep 16 '22 at 13:52
  • I don't think it is possible, you depend on the login on the social account, this is not what SSO is or how IDP are used, you treated the authentication as valid, you rely on the IDP to authenticate the user, however it is done and take it as valid – Iria Mar 09 '23 at 08:41

0 Answers0