Question 105872 in Azure Question posted in
The official documentation to get you started can be found here.

Azure AD B2C Custom Policy Bypass or skip specific phone Number Orchestration flow

We are using Azure AD B2C Phone Number OTP Authentication flow, from that we need to run an automation test for that we need to skip the OTP validation step. below is the B2C_1A_PH_SUSI file code.

<UserJourney Id="PhoneSignInUp">
  <OrchestrationSteps>
    <!--
       Ask the user for the phone number. 
       The ValidationTechnicalProfile tries to read the user from the directory using the phone number
    -->
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="SignIn" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- 
      Verify the phone number via SMS or Callback
     -->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>isActiveMFASession</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      <ClaimsExchanges>
        <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify-PhoneLogon" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- 
      If the user didn't exist previously, create the object in the directory
    -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserWriteUser" TechnicalProfileReferenceId="AAD-UserWriteUsingPhoneNumber" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!--
      return the JWT token
    -->
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I found a way to bypass OTP by Adding a Precondition value block give number you want to skip <Value>+91xxxxxxxx</Value> refer below

    <!-- 
      Verify the phone number via SMS or Callback
     -->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>isActiveMFASession</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        

        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>signinnames.phoneNumber</Value>
          <Value>+91xxxxxxxx</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>

     </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify-PhoneLogon" />
      </ClaimsExchanges>
    </OrchestrationStep>

  2. 0

    Presumably, for the automation test, you are using ROPC to log the user in?

    In which case, add a precondition around PhoneFactor that checks for the ROPC user and skips the step.

    Just give the user a "weird" login name – lots of q/z/x etc. 🙂 so hard to guess for security.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search