Azure B2C - Add/Update Authentication Contact Info

Question

We are using Azure B2C with a Reset password policy using MFA. ADAL is used for authentication and Graph API to create / update a user.

When a user

Answer 1

As of today, AD Graph API does not support adding MFA phone number for a AAD B2C user programmatically. As a result, you would want to enable MFA during sign-up so the user's phone number is captured and stored in the directory, and used for subsequent authentications that require MFA.

The case that you have seen is when a user's phone number is not registered for MFA in the directory. This can happen in multiple cases:

1. During sign-up, a user validates their email address and provides a password, clicks submit (and thus have an account created in the directory), but drops out before finishing the MFA.
2. The user account was created programmatically, in which case the phone number cannot be added programmatically (it can be added through Admin UI as you noted in the question).
3. The application initially started with policies without MFA but then decided to introduce MFA in some or all the policies.

In all of these scenarios, the first time a user attempts to access an application (or any of its parts) that requires MFA and phone number does not exist on the account, Azure AD B2C will require the user to verify and put their phone number on the account. Only then will the application be issued a token.

This is not specific to password reset, rather all policies to address the scenarios I described above. For example, an application can add MFA to the sign-in policy, and if there is no phone on the record, during sign-in, the user will be required to provide a phone number and validate it.