'Azure AD B2C associate user flow with an app one-to-one
While researching how to require multi-factor auth for a specific app, I came across this challenge:
- It's possible to create User flows (policies) in Azure AD B2C that would either require MFA or not
- It's possible to use any of the user flows in any application. Selecting the user flow is done client-side in the provided samples, so it would be relatively easy to go around the MFA requirement by just using a suitable user flow. This can be guessed or found in another app.
Is there a way to require an app to use a specific user flow or restrict a user flow to be used with specific apps?
More information:
Use a specific user Flow in an application: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa
Code sample: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp
User flows in Azure B2C: https://docs.microsoft.com/en-ca/azure/active-directory-b2c/active-directory-b2c-reference-policies
Solution 1:[1]
In Azure AD B2C, you aren't able to constrain an app to a flow or vice versa, however a given app can ensure that a specific flow was executed by validating the tfp
claim in the ID token that is issued to it.
The tfp
claim is set to the name of the policy (e.g. b2c_1_signupsignin1
) that was executed to acquire the ID token.
Solution 2:[2]
If someone needs this today, it's achievable with custom policies by overriding JwtIssuer technical profile and adding a metadata item for "IssuanceClaimPattern" .
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Chris Padgett |
Solution 2 | i-b |