Let's tackle your two questions one by one, with practical, actionable details for each scenario:

1. Using the Microsoft Token URL to Log Into an Azure AD B2C App with MFA #

First, a quick clarification: the https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token endpoint is for exchanging authorization codes or refresh tokens for access/id tokens—it doesn't handle the MFA interactive flow directly. MFA is enforced during the user's authentication journey, not when calling this token endpoint. Here's the step-by-step process to make it work:

• Step 1: Ensure your User Flow/Custom Policy requires MFA
  First, configure your Azure AD B2C user flow (or custom policy) to enforce multi-factor authentication. For example, in a sign-up/sign-in user flow, you can set the "Multi-factor authentication" option to "Required" or "Conditional" based on your needs.

• Step 2: Use an interactive authentication flow (like Authorization Code Flow)
  MFA requires user interaction, so stick to flows that involve the user entering credentials and completing the MFA challenge:

  1. Redirect the user to your B2C authorization endpoint (not the token endpoint) with the necessary parameters:

     https://<your-b2c-tenant>.b2clogin.com/<your-b2c-tenant>.onmicrosoft.com/<your-user-flow-id>/oauth2/v2.0/authorize?
     client_id=<your-app-client-id>
     &redirect_uri=<your-redirect-uri>
     &response_type=code
     &scope=openid%20offline_access%20<your-api-scope>
     &state=<random-secure-string>
     

  2. The user will go through the sign-in process, and when prompted, complete their MFA challenge (e.g., entering a code from SMS or approving a request in Microsoft Authenticator).
  3. Once MFA is successful, B2C will redirect back to your app with an authorization code.

• Step 3: Exchange the authorization code for tokens
  Now you can use the token URL you mentioned to swap the code for access/id tokens. Send a POST request with these parameters:

  POST https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
  Content-Type: application/x-www-form-urlencoded
  
  client_id=<your-app-client-id>
  &client_secret=<your-app-client-secret> (only for confidential apps)
  &code=<authorization-code-from-step-2>
  &redirect_uri=<your-redirect-uri>
  &grant_type=authorization_code
  

  The response will include an ID token—you can check the amr (Authentication Methods References) claim in this token to confirm MFA was used (it will include the value mfa).

Note: The Resource Owner Password Credentials (ROPC) flow doesn't support MFA in Azure AD B2C, since it's non-interactive. If your user flow requires MFA, ROPC requests will fail. Stick to interactive flows for MFA-enabled apps.

2. Verifying Azure AD B2C User MFA Login Status & Device Rememberance #

Verifying MFA Login Status #

There's no dedicated public URL to directly check a user's current MFA login status, but you have two reliable ways to confirm this:

• Check the ID Token Claims
  When a user completes MFA, their ID token will include the amr claim, which lists the authentication methods used. For example:

  "amr": ["pwd", "mfa"]
  

  Parsing this claim in your app is the simplest, most immediate way to confirm the user authenticated with MFA.

• Use Microsoft Graph API
  To retrieve historical sign-in data or user MFA configuration:

  1. To check if a user has MFA methods configured, call GET /users/{user-id} and look at the strongAuthenticationMethods property.
  2. To check recent sign-in events (including whether MFA was used), call GET /auditLogs/signIns and filter for the user. The authenticationDetails field in the response will show the authentication method used (e.g., "Microsoft Authenticator").

Device Rememberance for MFA #

Azure AD B2C includes a built-in "Remember device" feature that lets users skip MFA on trusted devices for a set period. Here's how it works:

• Enable it in User Flows
  In your sign-up/sign-in user flow, go to the "Multi-factor authentication" step, then enable the "Remember device" option. You can adjust the validity period (default is 90 days) in your B2C tenant settings under Security > Identity protection > MFA remember devices.

• How it works
  When a user selects "Remember this device" during MFA, B2C sets a persistent cookie on the device. On subsequent logins, if the cookie is detected and hasn't expired, B2C will automatically skip the MFA challenge.

• Custom Policy Configuration
  If you're using custom policies, you can enable this feature by adding the RememberMe technical profile and configuring the RememberMeExpiryInDays metadata to set your preferred validity period.

内容的提问来源于stack exchange，提问作者Vamshi G