I created 2 Entra Apps for External users (CIAM). I am using one of them to create users in and the other one for the app users to login. Both apps support multi-tenants and personal Microsoft accounts to access their API. I want to limit the user creations to using API (for more security) and I want enable 2FA using sms during login for all users who will create account using the API. The users login to other Entra app using Microsoft pop up userflow and I want to enable 2FA (sms) here that will be handled/executed by the CIAM (the Entra App). Is this kind of setting possible?
I am using PHP graph API in the backend and created account with email and password. The new user can login to other Entra App, but I couldn't find any setting/API that would make Entra App add 2FA phone number for sms authentication.
// Obtain an access token with Application Permissions
$url = "/$tenantId/oauth2/v2.0/token";
try {
$response = $client->post($url, [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'scope' => '/.default',
'grant_type' => 'client_credentials',
]
]);
$tokenData = json_decode($response->getBody(), true);
if (!isset($tokenData['access_token'])) {
return ['error' => 'Unable to retrieve access token.'];
}
$accessToken = $tokenData['access_token'];
$graphUrl = ".0/users";
$userResponse = $client->post($graphUrl, [
'headers' => [
'Authorization' => "Bearer $accessToken",
'Content-Type' => 'application/json'
],
'json' => [
'accountEnabled' => true,
'displayName' => "$firstName $lastName",
'givenName' => $firstName,
'surname' => $lastName,
'passwordPolicies' => "DisablePasswordExpiration, DisableStrongPassword",
'identities'=> [
[
"signInType"=> "emailAddress",
"issuer"=> "abc.onmicrosoft",
"issuerAssignedId"=> $email
]
],
'passwordProfile' => [
'forceChangePasswordNextSignIn' => false,
'password' => $password
]
]
]);
$userData = json_decode($userResponse->getBody(), true);
if (isset($userData['id'])) {
return [
'user_id' => $userData['id'],
'message' => 'User successfully created.'
];
} else {
return ['error' => 'User creation failed.'];
}
} catch (Exception $e) {
return ['error' => $e->getMessage()];
}
Thanking in advance for any help.
I created 2 Entra Apps for External users (CIAM). I am using one of them to create users in and the other one for the app users to login. Both apps support multi-tenants and personal Microsoft accounts to access their API. I want to limit the user creations to using API (for more security) and I want enable 2FA using sms during login for all users who will create account using the API. The users login to other Entra app using Microsoft pop up userflow and I want to enable 2FA (sms) here that will be handled/executed by the CIAM (the Entra App). Is this kind of setting possible?
I am using PHP graph API in the backend and created account with email and password. The new user can login to other Entra App, but I couldn't find any setting/API that would make Entra App add 2FA phone number for sms authentication.
// Obtain an access token with Application Permissions
$url = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token";
try {
$response = $client->post($url, [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'scope' => 'https://graph.microsoft.com/.default',
'grant_type' => 'client_credentials',
]
]);
$tokenData = json_decode($response->getBody(), true);
if (!isset($tokenData['access_token'])) {
return ['error' => 'Unable to retrieve access token.'];
}
$accessToken = $tokenData['access_token'];
$graphUrl = "https://graph.microsoft.com/v1.0/users";
$userResponse = $client->post($graphUrl, [
'headers' => [
'Authorization' => "Bearer $accessToken",
'Content-Type' => 'application/json'
],
'json' => [
'accountEnabled' => true,
'displayName' => "$firstName $lastName",
'givenName' => $firstName,
'surname' => $lastName,
'passwordPolicies' => "DisablePasswordExpiration, DisableStrongPassword",
'identities'=> [
[
"signInType"=> "emailAddress",
"issuer"=> "abc.onmicrosoft.com",
"issuerAssignedId"=> $email
]
],
'passwordProfile' => [
'forceChangePasswordNextSignIn' => false,
'password' => $password
]
]
]);
$userData = json_decode($userResponse->getBody(), true);
if (isset($userData['id'])) {
return [
'user_id' => $userData['id'],
'message' => 'User successfully created.'
];
} else {
return ['error' => 'User creation failed.'];
}
} catch (Exception $e) {
return ['error' => $e->getMessage()];
}
Thanking in advance for any help.
Search for "Auth Methods" and then enable SMS there.
Note that this is only an option for MFA, not for first factor.