Repeated MFA Phone Number Prompt in "SignUpOrSignIn" User Journey

[mikefox]

Description
When logging in as a user using the "SignUpOrSignIn" user journey in TrustFrameworkBase.xml, I am prompted to enter my phone number and complete the 2FA verification successfully. However, upon logging out and signing back in, I am asked to enter my phone number again for 2FA.

This behavior persists on every login, even though my phone number is correctly registered under Authentication Methods in the Azure portal.

Expected Behaviour
Once the phone number is verified during the first MFA prompt, the "PhoneFactor-InputOrVerify" technical profile should recognise and use the previously verified number, preventing the need for re-entering or modifying it upon subsequent logins.

Observed Behaviour

• PhoneFactor-InputOrVerify always prompts for phone number input, even for returning users.
• The user is able to modify their phone number at each login, which defeats the purpose of 2FA security.
• strongAuthenticationPhoneNumber appears to be correctly stored in Azure under Authentication Methods.
• This issue suggests that the policy is not retrieving the stored phone number before prompting the user.

Could this be a permissions issue where the policy lacks the necessary rights to read strongAuthenticationPhoneNumber from Azure AD B2C? If so, what permissions should be configured to allow the policy to retrieve the stored phone number properly?

Or is there a configuration missing in my policy that ensures strongAuthenticationPhoneNumber is read before the "PhoneFactor-InputOrVerify" profile runs?

Any guidance would be greatly appreciated as I have spent several hours debugging this issue.

[davortsan]

Hi @mikefox . If you are using the starter pack (SocialAndLocalAccountsWithMfa) The strongAuthenticationPhoneNumber is read in the AAD-UserReadUsingAlternativeSecurityId TP. It must be an OutputClaim. Please, check it. If you are able to write the phone number in the user properties, I do not think it will be a permission issue.

[mikefox]

@davortsan Thanks for getting back to me. I can confirm strongAuthenticationPhoneNumber is an OutputClaim in "AAD-UserReadUsingAlternativeSecurityId" and "AAD-UserReadUsingObjectId" in the policies where I'm experiencing this issue. Also, if I set a "DefaultValue" attribute with my phone number for strongAuthenticationPhoneNumber in my "AAD-UserReadUsingObjectId" TP, I get the verify behaviour of the "PhoneFactor-InputOrVerify" TP as I would expect. The issue appears to be that the value of strongAuthenticationPhoneNumber for the user is not being fetched. Even though I can see it under the User's MFA settings.

Note: I have Application Insights and Dev Mode enabled. I can see the traces in Visual Studio as I have the extension installed. There is no exception being thrown or any other error to indicate an issue.

[davortsan]

Could you share your extension policy, please?

[mikefox]

I've worked out the problem. I was extending "AAD-UserReadUsingObjectId" in my extension policy but had added the following item to the Metadata element:

<Metadata>
    <Item Key="api-version">1.6</Item>
</Metadata>

When I remove this, strongAuthenticationPhoneNumber is read successfully.