AAD B2C 有条件 MFA - 不要注册
AAD B2C Conditional MFA - Don't Enroll
我们为 3 万用户和一系列应用程序使用 AAD B2C。我想逐步向一部分用户推出 MFA。条件访问策略听起来很完美,除了作为内置登录用户流程的一部分,系统会提示用户注册 MFA 并输入 email/phone,即使他们不在条件访问策略的范围内。这默认了缓慢推出 MFA 的目的。
此页面建议无论条件访问如何进行注册。
https://docs.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow
我找到了更新用户身份验证的方法 phone 或通过图表发送电子邮件 API...但我不想这样做,因为我不确定我是否有正确 phone 手头号码。
有没有办法延迟注册过程?
您可以使用自定义策略执行此操作。
用扩展属性标记您要注册的用户。使用图 api 来执行此操作。
在用户验证其凭据后,在自定义策略中读取此属性。另请阅读 phone 数字属性。
$tenant = "contoso.onmicrosoft.com"
#B2CUserMigration Application Registration Application Id
$ClientID = ""
#B2CUserMigration Application Registration generated key (client secret)
$ClientSecret = ""
$loginURL = "https://login.microsoftonline.com"
$resource = "https://graph.microsoft.com"
# Get an OAuth 2 access token based on client id, secret and tenant
$body = @{grant_type="client_credentials";client_id=$ClientID;client_secret=$ClientSecret;resource=$resource}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenant/oauth2/token?api-version=1.0 -Body $body
#Part 2 - Register the extension attribute named "requiresMigration" into Azure AD B2C
#ObjectID of the b2c-extensions-app App Registration
$AppObjectID = ""
#Set the endpoint to register extension attributes
$url = "$resource/v1.0/applications/$AppObjectID/extensionProperties"
#Define the extension attribute
$body = @"
{
"name": "requiresMFA",
"dataType": "Boolean",
"targetObjects": ["User"]
}
"@
#Patch the user
$objectId = "user objectId to update"
$url = "$resource/v1.0/users/$objectId"
$body = @"
{
extension_GUID-WITHOUT-DASHES_requiresMFA: true
}
"@
如果属性设置为 true,而 phone 数字为 null,则注册到 mfa。使用一组先决条件控制 mfa 编排步骤。
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="requiresMFA" DefaultValue="false"/>
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" DefaultValue="00"/>
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
<OrchestrationStep Order="XX" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>requiresMFA</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
我们为 3 万用户和一系列应用程序使用 AAD B2C。我想逐步向一部分用户推出 MFA。条件访问策略听起来很完美,除了作为内置登录用户流程的一部分,系统会提示用户注册 MFA 并输入 email/phone,即使他们不在条件访问策略的范围内。这默认了缓慢推出 MFA 的目的。
此页面建议无论条件访问如何进行注册。 https://docs.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow
我找到了更新用户身份验证的方法 phone 或通过图表发送电子邮件 API...但我不想这样做,因为我不确定我是否有正确 phone 手头号码。
有没有办法延迟注册过程?
您可以使用自定义策略执行此操作。
用扩展属性标记您要注册的用户。使用图 api 来执行此操作。 在用户验证其凭据后,在自定义策略中读取此属性。另请阅读 phone 数字属性。
$tenant = "contoso.onmicrosoft.com"
#B2CUserMigration Application Registration Application Id
$ClientID = ""
#B2CUserMigration Application Registration generated key (client secret)
$ClientSecret = ""
$loginURL = "https://login.microsoftonline.com"
$resource = "https://graph.microsoft.com"
# Get an OAuth 2 access token based on client id, secret and tenant
$body = @{grant_type="client_credentials";client_id=$ClientID;client_secret=$ClientSecret;resource=$resource}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenant/oauth2/token?api-version=1.0 -Body $body
#Part 2 - Register the extension attribute named "requiresMigration" into Azure AD B2C
#ObjectID of the b2c-extensions-app App Registration
$AppObjectID = ""
#Set the endpoint to register extension attributes
$url = "$resource/v1.0/applications/$AppObjectID/extensionProperties"
#Define the extension attribute
$body = @"
{
"name": "requiresMFA",
"dataType": "Boolean",
"targetObjects": ["User"]
}
"@
#Patch the user
$objectId = "user objectId to update"
$url = "$resource/v1.0/users/$objectId"
$body = @"
{
extension_GUID-WITHOUT-DASHES_requiresMFA: true
}
"@
如果属性设置为 true,而 phone 数字为 null,则注册到 mfa。使用一组先决条件控制 mfa 编排步骤。
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="requiresMFA" DefaultValue="false"/>
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" DefaultValue="00"/>
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
<OrchestrationStep Order="XX" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>isActiveMFASession</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>requiresMFA</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>