We are using Azure B2C with a Reset password policy using MFA. ADAL is used for authentication and Graph API to create / update a user.

When a user invokes the Reset password policy (thru a link on the app), he first needs to provide an email address where a verification code is sent. Then (because MFA is enabled), if the user has a phone number in his Authentication Contact Info, Azure can send a text message or call this number to perform a second authentication check.

However, if the user does not have a phone number in his Authentication Contact Info, then Azure is asking the user to enter a phone number to send the text message / call the number. At this point, the user can enter any number so it is not really adding a layer of security !!

So I have two questions:

1. When I create a user thru ADAL + Graph (C#), how can I specify a phone number as an Authentication Contact Info (I tried Mobile or TelephoneNumber but obviously, those are not the right fields) so that Azure will not ask me to enter a random phone number to perform the MFA ?

2. If 1. is possible, how can I update this phone number in the authentication info section (programmatically in C#) ?

Thx !

As of today, AD Graph API does not support adding MFA phone number for a AAD B2C user programmatically. As a result, you would want to enable MFA during sign-up so the user's phone number is captured and stored in the directory, and used for subsequent authentications that require MFA.

The case that you have seen is when a user's phone number is not registered for MFA in the directory. This can happen in multiple cases:

1. During sign-up, a user validates their email address and provides a password, clicks submit (and thus have an account created in the directory), but drops out before finishing the MFA.
2. The user account was created programmatically, in which case the phone number cannot be added programmatically (it can be added through Admin UI as you noted in the question).
3. The application initially started with policies without MFA but then decided to introduce MFA in some or all the policies.

In all of these scenarios, the first time a user attempts to access an application (or any of its parts) that requires MFA and phone number does not exist on the account, Azure AD B2C will require the user to verify and put their phone number on the account. Only then will the application be issued a token.

This is not specific to password reset, rather all policies to address the scenarios I described above. For example, an application can add MFA to the sign-in policy, and if there is no phone on the record, during sign-in, the user will be required to provide a phone number and validate it.