Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Azure AD B2C MFA modernisation: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: A global real estate company moved from email and SMS one-time codes to broader MFA options, including passkeys and biometrics, across Azure AD B2C for employees in three regions, completing rollout in two months with no reported issues, according to Authsignal. The real lesson is that step-up authentication only works when policy, user experience, and regional governance are designed together, not bolted on after authentication gaps appear.

NHIMG editorial — based on content published by Authsignal: How a global real estate company strengthened MFA with Authsignal

Questions worth separating out

Q: How should organisations modernise MFA without disrupting employee access?

A: Start with the highest-risk sign-in paths, then introduce stronger authenticators alongside a phased rollout and clear recovery routes.

Q: Why do SMS and email one-time passcodes create governance risk?

A: They create governance risk because they are easy to over-depend on, even when stronger options are available.

Q: How do security teams know if MFA policy changes are working?

A: Look for reduced reliance on legacy OTP methods, stable sign-in success rates, low help desk escalation, and few override requests.

Practitioner guidance

  • Inventory where legacy OTP still carries MFA risk Identify Azure AD B2C or equivalent journeys that still rely on email and SMS codes, then rank them by user exposure, application sensitivity, and recovery dependency.
  • Define policy ownership for step-up authentication Separate policy authorship, approval, and emergency override rights for location-based blocking, periodic prompts, and risk-triggered MFA so that no single administrator can silently change access behaviour.
  • Pilot stronger authenticators before enterprise-wide enforcement Test passkeys, biometrics, and other stronger factors in one region or business unit first, then validate recovery, help desk load, and user completion rates before expanding.

What's in the full article

Authsignal's full case study covers the operational detail this post intentionally leaves for the source:

  • The rollout sequence across South Africa, New Zealand, and Australia, including how each phase was validated before go-live
  • The specific authentication methods added beyond SMS and email, including passkeys, biometrics, and WhatsApp one-time codes
  • How the no-code rules engine was configured for periodic MFA requirements, impossible travel detection, and country-based blocking
  • The commercial and implementation considerations that shaped the vendor evaluation and deployment timeline

👉 Read Authsignal's case study on strengthening MFA across Azure AD B2C →

Azure AD B2C MFA modernisation: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Modern MFA is now an authentication governance problem, not a factor-selection problem. The article shows that the organisation needed stronger methods, more granular triggers, and a migration path that would not disrupt daily access. That combination matters because human IAM programmes fail when they optimise for factor strength alone and ignore policy operability, rollout sequencing, and support impact. Practitioners should treat MFA modernisation as a control design exercise, not a feature swap.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which is one reason policy intent and operational reality diverge.

A question worth separating out:

Q: Who should approve changes to authentication rules in Azure AD B2C?

A: Authentication rule changes should be approved by the identity or security owner with operational input from application and regional stakeholders. Business administrators can manage day-to-day policy updates if delegated carefully, but sensitive changes need review, logging, and a clear rollback path. Without that separation, convenience can become unaudited access drift.

👉 Read our full editorial: Phishing-resistant MFA for Azure AD B2C in multi-region IAM



   
ReplyQuote
Share: