问题
This was suggested by Hari Krishna on another thread to open a new SO thread for this discussion. How do I programmatically clear or update a phone number for Azure AD B2C MFA?
We are using B2C custom policies with a step to write back the user's MFA profile to the B2C profile. The B2C technical profile name is AAD-UserWritePhoneNumberUsingObjectId.
<!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the
previous step. If so, then the phone number is stored in the directory for future authentication requests. -->
<OrchestrationStep Order="12" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>newPhoneNumberEntered</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
When this value is written back to B2C under Users->Authentication Methods->Phone, it does so in the format +12223334444 with no space in between the country code and the area code. B2C accepts this value and subsequent MFA requests work just fine.
However, the bug appears when you go to administer the MFA phone number using the Graph API methods under https://graph.microsoft.com/beta/users/{userId}/authentication/phoneMethods. When calling the GET method, any phone number not in the format +1 2223334444 (note the spaces b/w country code and area code this time) is ignored and the result is an empty array.
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users('{userId}')/authentication/phoneMethods",
"value": []
}
Furthermore, the value cannot be deleted. Calling DELETE https://graph.microsoft.com/beta/users/{userId}/authentication/phoneMethods/3179e48a-750b-4051-897c-87b9720928f7 results in a 404 with the response:
{
"error": {
"code": "resourceNotFound",
"message": "Unable to delete authentication method of the requested type with an id of [3179e48a-750b-4051-897c-87b9720928f7] because it was not found for the user.",
"innerError": {
"message": "Unable to delete authentication method of the requested type with an id of [3179e48a-750b-4051-897c-87b9720928f7] because it was not found for the user.",
"date": "2020-12-08T14:02:53",
"request-id": "eba02037-1884-4dce-9faf-ceb1e377975b",
"client-request-id": "eba02037-1884-4dce-9faf-ceb1e377975b"
}
}
}
The one thing that does work is to perform a "ghost update" with a PATCH request and then a subsequent DELETE requests that will result in a blank phone number and then the user will be re-prompted to enter their new phone number on the next B2C sign-in attempt. See below.
Step 1 - Issue a "ghost update" to set the MFA phone number to a dummy value.
POST https://graph.microsoft.com/beta/users/{userId}/authentication/phoneMethods
{
"phoneNumber": "+1 2223334444",
"phoneType": "mobile"
}
Step 2 - Delete the dummy phone number, which is now allowed since it's in the correct format
DELETE https://graph.microsoft.com/beta/users/{userId}/authentication/phoneMethods/3179e48a-750b-4051-897c-87b9720928f7
This ultimately allows for a semi-suitable workaround because it allows an administrator to clear the old phone number so the user is re-prompted, but it is definitely a bug and prevents the administrator from viewing the existing phone number for verification purposes, which results in reduced security.
来源:https://stackoverflow.com/questions/65200556/bug-identified-in-azure-b2c-mfa-phone-number-format-missing-spaces