stackoom
  简体   繁体   中英

What is the recommended approach for generating Azure AD Signin logs with passwordless azure B2C signin custom policy?

 原文  2022-05-25 14:19:15       azure/ azure-active-directory/ azure-ad-b2c-custom-policy/ multi-factor-authentication/ password-less

Question

I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs ( https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins ). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.

I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.

As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?

1 answers

solution1
 0  2022-06-02 04:51:22

what is the recommended approach to generate a signin log in Azure AD with a passwordless solution

  • For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.

  • Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.

For more information in detail, please refer below links:

samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub

https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD B2C Custom SignIn Policy Displays SignUpSignIn Azure B2C custom policy passwordless signin schema validation error Azure AD B2C passwordless sign in custom Policy Azure B2C signin over AD Azure ad b2c custom policy with KMSI, auto signin not working after browser close Azure AD B2C SignUp-SignIn policy with MFA turned on - Custom Login Page Rest API call during Azure AD B2C SignIN in Custom Policy Custom URL for Azure AD B2C signup and signin pages Discord api returns 401 unauthorized when trying signin via Azure AD B2C custom policy Azure AD B2C - Password Reset on First SignIn scenario only possible via Custom Policy?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM