Latest Posts

MFA using external identity providers

Posted on by Rishan Solutions

Loading

Multi-Factor Authentication (MFA) adds an extra layer of security to user logins by requiring more than one method of authentication—such as something the user knows (password) and something the user has (mobile device). Azure AD B2C supports MFA for local accounts, but when users sign in via external identity providers (like Google, Facebook, Microsoft, or enterprise IdPs), you must rely on the MFA capabilities of those providers.

This guide outlines how to ensure MFA is enforced or supported during sign-in via external IdPs.

Step 1: Understand the Role of External IdPs

When using external identity providers, such as:

  • Google
  • Facebook
  • Microsoft Account
  • GitHub
  • SAML/WS-Fed providers
  • Azure AD (for enterprise users)

Authentication (including MFA) is handled by that provider, not Azure AD B2C. Therefore:

  • Azure AD B2C delegates the login
  • MFA must be configured on the external IdP
  • Azure AD B2C cannot directly force MFA for those users

Step 2: Decide When MFA is Needed

Define the MFA use cases for your application:

  • For all users regardless of how they log in?
  • Only for local accounts (email/password)?
  • Or only for high-risk scenarios (new device, high-value transaction)?

This will inform whether to:

  • Rely on external IdP’s built-in MFA
  • Configure conditional access at enterprise IdPs
  • Combine custom claims and risk detection with custom policies

Step 3: Set Up Azure AD B2C Tenant and Register Applications

If not already done:

  1. Create your Azure AD B2C tenant
  2. Register your web/mobile applications
  3. Add identity providers in Azure AD B2C > Identity Providers

Example: Add Google, Facebook, and Azure AD as external IdPs.

Step 4: Enable MFA on External Identity Providers

You must configure MFA directly on each external IdP:

Google

  • Go to admin.google.com (for Workspace domains)
  • Enforce 2-Step Verification (SMS, authenticator app, etc.)

Facebook

  • Encourage users to enable two-factor via their settings
  • Cannot force it centrally, so use trust + advisory mechanisms

Azure AD (enterprise)

  • Use Conditional Access to enforce MFA
  • Configure policies like:
    • Require MFA for all sign-ins
    • Require MFA for risky sign-ins
  • Use Identity Protection for adaptive access

SAML/WS-Fed Providers

  • Configure MFA within their respective IdP platforms (e.g., Okta, Ping, ADFS)
  • Most provide step-up authentication options

Note: B2C will inherit the MFA experience if the external IdP triggers it.

Step 5: Customize the User Flow (Built-in or Custom Policies)

Azure AD B2C doesn’t control MFA on external IdPs directly, but you can detect or infer it through:

  • Claims returned by the IdP
  • Custom REST API checks
  • User session behavior

Options:

  • Built-in user flows: Only basic MFA for local accounts
  • Custom policies: Use Identity Experience Framework (IEF) for deeper control

Step 6: Add Identity Providers in Custom Policy (IEF)

To support MFA-aware login via IdPs:

  1. Download the IEF starter pack
  2. Add identity providers in TrustFrameworkExtensions.xml:
    <ClaimsProvider> <DisplayName>Google</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="Google-OIDC"> <DisplayName>Google</DisplayName> <Protocol Name="OpenIdConnect"/> ... </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
  3. In the Relying Party policy, set up the orchestration step to use this IdP.

Step 7: Detect MFA Claims or Signals (If Supported)

Some IdPs include MFA status in the authentication claims, like:

  • amr (Authentication Method Reference): Could be ["pwd", "mfa"]
  • acr (Authentication Context Class Reference)

If present:

  • Capture it using OutputClaims in your technical profile
  • Pass it downstream via ID token
  • Optionally, block access if amr doesn’t include mfa

Example:

<OutputClaim ClaimTypeReferenceId="authenticationMethod" PartnerClaimType="amr"/>

Step 8: Combine with Conditional Access (for Azure AD External IdP)

If you use Azure AD as an identity provider:

  • Set Conditional Access policies in Azure AD, not B2C
  • Use policies like “Require MFA when accessing this app” or “Require MFA on risky sign-ins”
  • You can target users/groups or apps

In Azure AD:

  1. Go to Azure Active Directory > Security > Conditional Access
  2. Create policy
  3. Assign it to users and apps
  4. Select “Require Multi-Factor Authentication” under Access controls

Step 9: Log and Monitor Sign-In Behavior

Enable:

  • Sign-in logs in Azure B2C
  • Diagnostic logging on IdPs
  • Correlation tracking (to verify if MFA was prompted)

Ensure tokens include claims that reflect MFA state if available.

Step 10: Design UX to Reflect MFA Enforcement

Let users know during sign-in:

  • When MFA is triggered by the IdP
  • If an additional step is expected
  • Use page customizations to reflect status or offer support if login is blocked

Example: “You will be redirected to Google to complete your sign-in. If you have 2-Step Verification enabled, please confirm it.”

Step 11: Test Various MFA Scenarios

Run tests for:

  • Google with 2SV enabled and disabled
  • Facebook with MFA enabled
  • Azure AD enterprise login with Conditional Access enforcing MFA
  • SAML IdP with and without MFA claims

Check whether the amr or similar claims reflect MFA usage in each case.

Step 12: Fallback or Step-Up Options

If the IdP does not enforce MFA, but you want to step-up:

  • Implement a custom orchestration step after IdP login to trigger additional MFA using local methods (e.g., phone verification)
  • Use a REST API that flags high-risk sessions
  • Re-direct to a second MFA policy or user flow

Leave a Reply

Your email address will not be published. Required fields are marked *