With Azure AD B2C you can detect unknown devices which might be required to prompt MFA as illustrated in this particular sample or send email to the user signing in from unknown device.
Custom policy is using such information as User Agent and IP Address to uniquely calcualte a Device ID for particular Device User ID. Information is stored in user's browser Web Storage and used in subsequent verifications to detect unknown device and prompt MFA.
Note: This sample uses client side JavaScript to collect basic device information to generate a fingerprint. A more robust mechanism is to use Microsoft Azure AD Identity Protection to utilize more advanced fingerprinting techniques.
Custom policy logic is primarily defined in following orchestration steps:
The diagram below depicts the user flow and how different components interact together.
Note: This sample is based on SocialAndLocalAccountsWithMfa starter pack and page layout contract. All changes are marked with Sample comment inside the policy XML files and source code. Make the necessary changes in the Sample action required sections.
Note: This sample is based on Ocean Blue page template. Please, upload assets folder and cusomization files in page-template folder to storage account as described in custom page content walkthrough. Change absolute URL for external resources like media, CSS, and JavaScript in HTML files.
Note: This sample is optimized for Visual Studio Code and Azure AD B2C Extension. Please, open vs.code-workspace, install recommended extension, change appsettings.json values, and build policies as described in policy settings section. Upload built policies from Environments\Samples folder to run them in the Azure Portal.
Generate a policy key with name DeviceInformationSecret, key type Secret and key usage Signature. Generated key will be used to hash such device information as Device User ID and Device ID.
Such information as User Agent, IP Address, and Device User ID is collected in this orchestration step. Moreover, previously recorded Verified Device ID is collected as well.
JavaScript is used to collect User Agent and Verified Device ID. CSS is used to hide inputs.
Device ID is calculated based on User Agent, IP Address, and Device User ID. Orchestration step validates Device ID against previosly recorded Verified Device ID and produces isVerifiedDevice claim.
CSS
#attributeList li.TextBox {
display: none;
}JavaScript
$(document).ready(function() {
$('#userAgent').val(navigator.userAgent);
var deviceUserId = $('#deviceUserId').val();
var verifiedDeviceId = localStorage.getItem(deviceUserId);
$('#verifiedDeviceId').val(verifiedDeviceId);
});Orchestration step prompts MFA for unknown devices using precondition with previously produced isVerifiedDevice claim.
Precondition
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isVerifiedDevice</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>Such information as Device User ID and Device ID is produced in this orchestration step.
JavaScript is used to collect that information and register for subsequent verificaitons. CSS is used to hide inputs.
CSS
#attributeList li.TextBox {
display: none;
}JavaScript
$(document).ready(function() {
var deviceUserId = $('#deviceUserId').val();
var deviceId = $('#deviceId').val();
localStorage.setItem(deviceUserId, deviceId);
});Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.