Merge pull request #99123 from MicrosoftDocs/master

12/16 PM Publish

Author: huypub

articles/active-directory-b2c/TOC.yml

@@ -163,6 +163,9 @@
         href: active-directory-b2c-reference-kmsi-custom.md
       - name: Password change
         href: active-directory-b2c-reference-password-change-custom.md
+      - name: Phone sign-up & sign-in
+        href: phone-authentication.md
+        displayName: otp, passwordless, phone number
     - name: UX customization
       items:
       - name: Configure user input
@@ -262,6 +265,8 @@
             href: integer-transformations.md
           - name: JSON
             href: json-transformations.md
+          - name: Phone number
+            href: phone-number-claims-transformations.md
           - name: External accounts
             href: social-transformations.md
           - name: StringCollection
@@ -285,6 +290,9 @@
           items:
           - name: About technical profiles
             href: technical-profiles-overview.md
+          - name: Azure Multi-Factor Authentication
+            href: multi-factor-auth-technical-profile.md
+            displayName: mfa
           - name: Claim resolvers
             href: claim-resolver-overview.md
           - name: Azure Active Directory

articles/active-directory-b2c/media/phone-authentication/assert-execution.png

@@ -0,0 +1,161 @@
+---
+title: Azure MFA technical profiles in custom policies
+titleSuffix: Azure AD B2C
+description: Custom policy reference for Azure Multi-Factor Authentication (MFA) technical profiles in Azure AD B2C.
+services: active-directory-b2c
+author: mmacy
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 12/17/2019
+ms.author: marsma
+ms.subservice: B2C
+---
+
+# Define an Azure MFA technical profile in an Azure AD B2C custom policy
+
+[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
+
+Azure Active Directory B2C (Azure AD B2C) provides support for verifying a phone number by using Azure Multi-Factor Authentication (MFA). Use this technical profile to generate and send a code to a phone number, and then verify the code.
+
+The Azure MFA technical profile may also return an error message. You can design the integration with Azure MFA by using a **Validation technical profile**. A validation technical profile calls the Azure MFA service. The validation technical profile validates the user-provided data before the user journey continues. With the validation technical profile, an error message is display on a self-asserted page.
+
+[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
+
+## Protocol
+
+The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C:
+
+```
+Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
+```
+
+The following example shows an Azure MFA technical profile:
+
+```XML
+<TechnicalProfile Id="AzureMfa-SendSms">
+    <DisplayName>Send Sms</DisplayName>
+    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+    ...
+```
+
+## Send SMS
+
+The first mode of this technical profile is to generate a code and send it. The following options can be configured for this mode.
+
+### Input claims
+
+The **InputClaims** element contains a list of claims to send to Azure MFA. You can also map the name of your claim to the name defined in the MFA technical profile.
+
+| ClaimReferenceId | Required | Description |
+| --------- | -------- | ----------- |
+| userPrincipalName | Yes | The identifier for the user who owns the phone number. |
+| phoneNumber | Yes | The phone number to send an SMS code to. |
+| companyName | No |The company name in the SMS. If not provided, the name of your application is used. |
+| locale | No | The locale of the SMS. If not provided, the browser locale of the user is used. |
+
+The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before sending to the Azure MFA service.
+
+### Output claims
+The Azure MFA protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Azure MFA identity provider as long as you set the `DefaultValue` attribute.
+
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
+### Metadata
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| Operation | Yes | Must be **OneWaySMS**.  |
+| UserMessageIfInvalidFormat | No | Custom error message if the phone number provided is not a valid phone number |
+| UserMessageIfCouldntSendSms | No | Custom error message if the phone number provided does not accept SMS |
+| UserMessageIfServerError | No | Custom error message if the server has encountered an internal error |
+
+### Return an error message
+
+As described in [Metadata](#metadata), you can customize the error message shown to the user for different error cases. You can further localize those messages by prefixing the locale. For example:
+
+```XML
+<Item Key="en.UserMessageIfInvalidFormat">Invalid phone number.</Item>
+```
+
+### Example: send an SMS
+
+The following example shows an Azure MFA technical profile that is used to send a code via SMS.
+
+```XML
+<TechnicalProfile Id="AzureMfa-SendSms">
+    <DisplayName>Send Sms</DisplayName>
+    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+    <Metadata>
+        <Item Key="Operation">OneWaySMS</Item>
+    </Metadata>
+    <InputClaimsTransformations>
+        <InputClaimsTransformation ReferenceId="CombinePhoneAndCountryCode" />
+        <InputClaimsTransformation ReferenceId="ConvertStringToPhoneNumber" />
+    </InputClaimsTransformations>
+    <InputClaims>
+        <InputClaim ClaimTypeReferenceId="userPrincipalName" />
+        <InputClaim ClaimTypeReferenceId="fullPhoneNumber" PartnerClaimType="phoneNumber" />
+    </InputClaims>
+</TechnicalProfile>
+```
+
+## Verify code
+
+The second mode of this technical profile is to verify a code. The following options can be configured for this mode.
+
+### Input claims
+
+The **InputClaims** element contains a list of claims to send to Azure MFA. You can also map the name of your claim to the name defined in the MFA technical profile.
+
+| ClaimReferenceId | Required | Description |
+| --------- | -------- | ----------- | ----------- |
+| phoneNumber| Yes | Same phone number as previously used to send a code. It is also used to locate a phone verification session. |
+| verificationCode  | Yes | The verification code provided by the user to be verified |
+
+The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before calling the Azure MFA service.
+
+### Output claims
+
+The Azure MFA protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Azure MFA identity provider as long as you set the `DefaultValue` attribute.
+
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
+## Metadata
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| Operation | Yes | Must be **Verify** |
+| UserMessageIfInvalidFormat | No | Custom error message if the phone number provided is not a valid phone number |
+| UserMessageIfWrongCodeEntered | No | Custom error message if the code entered for verification is wrong |
+| UserMessageIfMaxAllowedCodeRetryReached | No | Custom error message if the user has attempted a verification code too many times |
+| UserMessageIfThrottled | No | Custom error message if the user is throttled |
+| UserMessageIfServerError | No | Custom error message if the server has encountered an internal error |
+
+### Return an error message
+
+As described in [Metadata](#metadata), you can customize the error message shown to the user for different error cases. You can further localize those messages by prefixing the locale. For example:
+
+```XML
+<Item Key="en.UserMessageIfWrongCodeEntered">Wrong code has been entered.</Item>
+```
+
+### Example: verify a code
+
+The following example shows an Azure MFA technical profile used to verify the code.
+
+```XML
+<TechnicalProfile Id="AzureMfa-VerifySms">
+    <DisplayName>Verify Sms</DisplayName>
+    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+    <Metadata>
+        <Item Key="Operation">Verify</Item>
+    </Metadata>
+    <InputClaims>
+        <InputClaim ClaimTypeReferenceId="phoneNumber" PartnerClaimType="phoneNumber" />
+        <InputClaim ClaimTypeReferenceId="verificationCode" />
+    </InputClaims>
+</TechnicalProfile>
+```

articles/active-directory-b2c/multi-factor-auth-technical-profile.md

@@ -0,0 +1,73 @@
+---
+title: Phone sign-up and sign-in with custom policies
+titleSuffix: Azure AD B2C
+description: Learn how to send one-time passwords in text messages to your application users' phones with custom policies in Azure Active Directory B2C.
+services: active-directory-b2c
+author: mmacy
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 12/17/2019
+ms.author: marsma
+ms.subservice: B2C
+---
+
+# Set up phone sign-up and sign-in with custom policies in Azure AD B2C
+
+Phone sign-up and sign-in in Azure Active Directory B2C (Azure AD B2C) enables your users to sign up and sign in to your applications by using a one-time password (OTP) sent in a text message to their phone. One-time passwords can help minimize the risk of your users forgetting or having their passwords compromised.
+
+Follow the steps in this article to use the custom policies to enable your customers to sign up and sign in to your applications by using a one-time password sent to their phone.
+
+[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
+
+## Prerequisites
+
+* [Azure AD B2C tenant](tutorial-create-tenant.md)
+* [Web application registered](tutorial-register-applications.md) in your tenant
+* [Custom policies](active-directory-b2c-get-started-custom.md) uploaded to your tenant
+
+## Get the phone sign-up & sign-in starter pack
+
+Start by updating the phone sign-up and sign-in custom policy files to work with your Azure AD B2C tenant.
+
+The following steps assume that you've completed the [prerequisites](#prerequisites) and have already cloned the [custom policy starter pack][starter-pack] repository to your local machine.
+
+1. Find the [phone sign-up and sign-in custom policy files][starter-pack-phone] in your local clone of the starter pack repo, or download them directly. The XML policy files are located in the `active-directory-b2c-custom-policy-starterpack/scenarios/phone-number-passwordless` directory.
+1. In each file, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is *contosob2c*, all instances of `yourtenant.onmicrosoft.com` become `contosob2c.onmicrosoft.com`.
+1. Complete the steps in the [Add application IDs to the custom policy](active-directory-b2c-get-started-custom.md#add-application-ids-to-the-custom-policy) section of [Get started with custom policies in Azure Active Directory B2C](active-directory-b2c-get-started-custom.md). That is, update the files in the `/phone-number-passwordless` directory with the **Application (client) IDs** of the two applications you registered when completing the prerequisites, *IdentityExperienceFramework* and *ProxyIdentityExperienceFramework*.
+
+## Upload the policy files
+
+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure AD B2C tenant.
+1. Under **Policies**, select **Identity Experience Framework**.
+1. Select **Upload custom policy**.
+1. Upload the policy files in the following order:
+    1. *Phone_Email_Base.xml*
+    1. *SignUpOrSignInWithPhone.xml*
+    1. *SignUpOrSignInWithPhoneOrEmail.xml*
+    1. *ProfileEditPhoneOnly.xml*
+    1. *ProfileEditPhoneEmail.xml*
+    1. *ChangePhoneNumber.xml*
+    1. *PasswordResetEmail.xml*
+
+As you upload each file, Azure adds the prefix `B2C_1A_`.
+
+## Test the custom policy
+
+1. Under **Custom policies**, select **SignUpOrSignInWithPhoneOrEmail**.
+1. Under **Select application**, select the *webapp1* application that registered when completing the prerequisites.
+1. For **Select reply url**, choose `https://jwt.ms`.
+1. Select **Run now** and sign up using an email address or a phone number.
+1. Select **Run now** once again and sign in with the same account to confirm that you have the correct configuration.
+
+## Next steps
+
+You can find the phone sign-up and sign-in custom policy starter pack (and other starter packs) on GitHub:
+
+[Azure-Samples/active-directory-b2c-custom-policy-starterpack/scenarios/phone-number-passwordless][starter-pack-phone]
+
+<!-- LINKS - External -->
+[starter-pack]: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
+[starter-pack-phone]: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/phone-number-passwordless