AAD B2C 条件 MFA - 不要注册

编程问答 2022-04-24

问题描述

我们为 3 万用户和一系列应用使用 AAD B2C。我想逐步向一部分用户推出 MFA。条件访问策略听起来很完美,但作为内置登录用户流程的一部分,系统会提示用户注册 MFA 并输入电子邮件/电话,即使他们不受条件访问策略的保护。这认了缓慢推出 MFA 的目的。

页面建议无论条件访问如何都会进行注册https://docs.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow

我已经找到了通过 Graph API 更新用户身份验证电话或电子邮件方法……但我不想这样做,因为我不确定我手头有正确的电话号码。

有没有办法延迟注册过程?

解决方法

您可以使用自定义政策来做到这一点。

使用扩展属性标记您要注册的用户。使用图形 api 来做到这一点。 在用户验证其凭据后,在自定义策略中读取此属性。另请阅读电话号码属性。

$tenant = "contoso.onmicrosoft.com"
#B2CUserMigration Application Registration Application Id
$ClientID      = "" 
#B2CUserMigration Application Registration generated key (client secret)  
$ClientSecret  = ""     
$loginURL = "https://login.microsoftonline.com"
$resource = "https://graph.microsoft.com"

# Get an OAuth 2 access token based on client id,secret and tenant
$body = @{grant_type="client_credentials";client_id=$ClientID;client_secret=$ClientSecret;resource=$resource}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenant/oauth2/token?api-version=1.0 -Body $body

#Part 2 - Register the extension attribute named "requiresMigration" into Azure AD B2C
#ObjectID of the b2c-extensions-app App Registration
$AppObjectID = ""

#Set the endpoint to register extension attributes
$url = "$resource/v1.0/applications/$AppObjectID/extensionProperties"

#Define the extension attribute
$body = @"
{ 
 "name": "requiresMFA","dataType": "Boolean","targetObjects": ["User"]
}
"@

#Patch the user
$objectId = "user objectId to update"
$url = "$resource/v1.0/users/$objectId"

$body = @"
{
   extension_GUID-WITHOUT-DASHES_requiresMFA: true
}
"@

如果属性设置为true,并且电话号码为空,则注册到mfa。使用一组先决条件控制 mfa 编排步骤。

        <TechnicalProfile Id="AAD-UserReadUsingObjectId">
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="requiresMFA" DefaultValue="false"/>
            <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" DefaultValue="00"/>
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

        <OrchestrationStep Order="XX" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>isActiveMFASession</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>requiresMFA</Value>
              <Value>False</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
          </ClaimsExchanges>
        </OrchestrationStep>
aad-b2cazure-ad-b2cmulti-factor-authentication