I am in the process of migrating a legacy IDP to Azure AD B2C. Some of our users have TOTP MFA enabled and I would like to migrate them without re-enrolling using new secrets for a seamless user experience during the migration.
I can access the users TOTP secrets (base32 encoded).
I copied and built on top of the TOTP migration policy.
I bypass the availabledevices > 0 steps as it is a precondition that the migrated users with TOTP has already been set up and I don't want to expose the secret unnecessarily. New users should follow a different flow.
As part of my pre-migration script I added the TOTP secret to an extension property (extension_StrongAuthenticationAppSecretKey
) on the user. I can copy this claim to the secretKey
using the CopyLegacySecret
and I have seen the secretKey
claim being set to the value of extension_StrongAuthenticationAppSecretKey
during debugging in Application Insights.
Now at this point I am expecting the B2C to verify a OTP code from my legacy configured authenticator app. I can't seem to find the where in the policy the secretKey
is persisted in the B2C and guess that it is still verifying using some secret that I am not controlling.
Can someone confirm that this is indeed possible and maybe just provide an outline of the required user journey to get it right?