Azure B2C-添加/更新身份验证联系信息 [英] Azure B2C - Add/Update Authentication Contact Info

问题描述

我们正在将Azure B2C与使用MFA重置密码策略一起使用. ADAL用于身份验证，并使用Graph API创建/更新用户.

We are using Azure B2C with a Reset password policy using MFA. ADAL is used for authentication and Graph API to create / update a user.

当用户调用重置密码"策略(通过应用程序上的链接)时，他首先需要提供一个发送验证码的电子邮件地址.然后(由于启用了MFA)，如果用户的身份验证联系信息中包含电话号码，Azure可以发送文本消息或呼叫此号码以执行第二次身份验证检查.

When a user invokes the Reset password policy (thru a link on the app), he first needs to provide an email address where a verification code is sent. Then (because MFA is enabled), if the user has a phone number in his Authentication Contact Info, Azure can send a text message or call this number to perform a second authentication check.

但是，如果用户的身份验证联系信息中没有电话号码，则Azure将要求用户输入电话号码以发送短信/呼叫号码.此时，用户可以输入任何数字，因此实际上并没有增加安全性！！

However, if the user does not have a phone number in his Authentication Contact Info, then Azure is asking the user to enter a phone number to send the text message / call the number. At this point, the user can enter any number so it is not really adding a layer of security !!

所以我有两个问题:

1. 当我通过ADAL + Graph(C#)创建用户时，如何指定电话号码作为身份验证联系信息(我尝试使用Mobile或TelephoneNumber，但是显然，这些不是正确的字段)，以便Azure不会要求我输入随机电话号码来执行MFA?

1. When I create a user thru ADAL + Graph (C#), how can I specify a phone number as an Authentication Contact Info (I tried Mobile or TelephoneNumber but obviously, those are not the right fields) so that Azure will not ask me to enter a random phone number to perform the MFA ?

如果可能1.，如何在身份验证信息部分更新此电话号码(以C#编程)?

If 1. is possible, how can I update this phone number in the authentication info section (programmatically in C#) ?

谢谢！

推荐答案

到目前为止，AD Graph API不支持以编程方式为AAD B2C用户添加MFA电话号码.因此，您希望在注册期间启用MFA，以便捕获用户的电话号码并将其存储在目录中，并用于需要MFA的后续身份验证.

As of today, AD Graph API does not support adding MFA phone number for a AAD B2C user programmatically. As a result, you would want to enable MFA during sign-up so the user's phone number is captured and stored in the directory, and used for subsequent authentications that require MFA.

您所看到的情况是未在目录中为MFA注册用户的电话号码.这可能会在多种情况下发生:

The case that you have seen is when a user's phone number is not registered for MFA in the directory. This can happen in multiple cases:

1. 在注册期间，用户验证其电子邮件地址并提供密码，单击提交(因此在目录中创建了一个帐户)，但是在完成MFA之前退出了.
2. 该用户帐户是通过编程方式创建的，在这种情况下，无法通过编程方式添加电话号码(如您在问题中所述，可以通过Admin UI添加电话号码).
3. 该应用程序最初从没有MFA的策略开始，但是随后决定在某些或所有策略中引入MFA.

在所有这些情况下，帐户中首次不存在用户尝试访问需要MFA和电话号码的应用程序(或其任何部分)时，Azure AD B2C将要求用户验证并放置他们在帐户上的电话号码.只有这样，应用程序才会获得令牌.

In all of these scenarios, the first time a user attempts to access an application (or any of its parts) that requires MFA and phone number does not exist on the account, Azure AD B2C will require the user to verify and put their phone number on the account. Only then will the application be issued a token.

这并非特定于密码重置，而是所有解决上述问题的策略.例如，应用程序可以将MFA添加到登录策略中，如果记录中没有电话，则在登录过程中，将要求用户提供电话号码并进行验证.

This is not specific to password reset, rather all policies to address the scenarios I described above. For example, an application can add MFA to the sign-in policy, and if there is no phone on the record, during sign-in, the user will be required to provide a phone number and validate it.

这篇关于Azure B2C-添加/更新身份验证联系信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！