signup-signin-with-phone-number: align sample countryList default with Learn mitigation guidance#679
Open
gfortaine wants to merge 2 commits into
Open
Conversation
gfortaine
force-pushed
the
security/sms-toll-fraud-warnings
branch
2 times, most recently
from
f2aa3d8 to
06bd8dd
Compare
Author
|
hi @JasSuri, @yoelhor — quick re-frame now that the pr has narrowed. this is now scoped to one existing sample: 4 files, ~208 lines, no new sample, no cross-repo security proposal. just what actually ships:
tradeoff worth stating plainly: a tenant outside two narrow questions, one each:
a one-line reply is enough on either side — "sample-default ok" / "readme-only" / "citation ok" / "please change citation". happy to rework on any of those. thanks. |
gfortaine
force-pushed
the
security/sms-toll-fraud-warnings
branch
from
bfc8227 to
1c7c615
Compare
…st allow-list and IRSF mitigation reference
Ships an operational mitigation against SMS toll fraud (IRSF) directly in the
sample, rather than as a documentation-only warning.
Changes:
- policy/TrustFrameworkLocalization.xml: the 'countryList' LocalizedString in
both 'api.phonefactor.sv' and 'api.phonefactor.nb' LocalizedResources now
ships a Nordic-only allow-list (NO, SE, DK, FI, IS, FO, AX). The previous
full world list (~240 entries) is preserved immediately below as an XML
comment, split into two risk tiers:
* HIGH-RISK — IRSF / SMS-pumping hotspots that must not be re-enabled
without complementary controls (CAPTCHA, Conditional Access, Azure
Monitor anomaly alerts, per-tenant SMS spending cap).
* Lower-risk — OECD / EU / major commercial markets, still to be
reviewed before enabling.
- policy/phone-signup-signin.xml: adds a BuildingBlocks > Localization block
to carry the same Nordic allow-list for the default English UX path,
alongside a prepended 'api.phonefactor' ContentDefinition that wires in
'api.phonefactor.en'.
- README.md (sample): reframed to describe the shipped safe default, point
at the two modified files, and document the action required before
production (extending the allow-list with ISO 3166-1 alpha-2 codes of the
countries where users actually are).
- readme.md (root): security banner and samples table entry pointing to the
hardened sample.
References:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/phone-based-mfa#mitigate-fraudulent-sign-ups-for-custom-policy
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
gfortaine
force-pushed
the
security/sms-toll-fraud-warnings
branch
from
1c7c615 to
5da9c02
Compare
gfortaine
changed the title
Body claim in PR azure-ad-b2c#679 said the English UX path ships the same Nordic allow-list as TrustFrameworkLocalization.xml nb/sv. It didn't — EN was missing FO (Faroe Islands) and AX (Åland). Aligning the three so the Nordic-only default is consistent across locales. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
gfortaine
changed the title
|
@gfortaine just a question. You mention that these are blocked at the "UX layer". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aligns the
signup-signin-with-phone-numbercustom policy sample with the existing Microsoft Learn mitigation guidance for SMS toll fraud (IRSF), by shipping a restrictive-by-defaultcountryListin the sample itself and cross-linkingphone-based-mfa.md.The sample now ships a Nordic-only allow-list (
NO, SE, DK, FI, IS, FO, AX) on all three locale paths (en/nb/sv). The previous world-wide list is preserved as XML comments, split into two tiers (HIGH-RISK IRSF hotspots / Lower-risk OECD/EU) so consumers widen the allow-list by uncommenting the tier they accept.Tenants outside the listed countries must edit
countryListbefore first deployment — this is called out at the top of the sample README and inline in the XML.Problem
Two Microsoft artifacts cover phone-based authentication on Azure AD B2C and complement each other:
policies/signup-signin-with-phone-number/— one of the phone-based auth samples developers reach when implementing phone-based authentication.phone-based-mfa.mdon Microsoft Learn — contains the existing mitigation guidance (countryList, CAPTCHA, Conditional Access, Azure Monitor workbook) against fraudulent phone-based MFA sign-ups.There was no in-repo reference from the sample to the guide, and the sample shipped with no allow-list at all — so a developer uploading the policy as-is was open to IRSF by default. This PR aligns the sample's out-of-box behavior with the Learn guidance, preserves the world list as commented tiers for opt-in widening, and cross-links the guide from the sample README.
Changes
policies/signup-signin-with-phone-number/policy/TrustFrameworkLocalization.xmlcountryListLocalizedStringin bothapi.phonefactor.svandapi.phonefactor.nbrestricted to Nordic ISO 3166-1 alpha-2 codes (NO, SE, DK, FI, IS, FO, AX). Original world list preserved as XML comments, split into two risk tiers: HIGH-RISK (IRSF / SMS-pumping hotspots — must not be re-enabled without complementary controls: CAPTCHA, Conditional Access, Azure Monitor anomaly alerts, per-tenant SMS spending cap) and Lower-risk (OECD / EU / major commercial markets, still to be reviewed before enabling). Consumers opt into a wider list by uncommenting the tier they accept.policies/signup-signin-with-phone-number/policy/phone-signup-signin.xmlBuildingBlocks > Localizationblock with the same NordiccountryList(NO, SE, DK, FI, IS, FO, AX), and an RP-levelapi.phonefactorContentDefinitionoverride (LocalizedResourcesReferences MergeBehavior="Prepend") soapi.phonefactor.enis actually applied on the phone-entry page.policies/signup-signin-with-phone-number/README.mdphone-based-mfa.md, documents the Nordic default shipped in the XML, points at the two modified files, and documents the action required before production (extending the allow-list with ISO 3166-1 alpha-2 codes of the countries where users actually are).readme.mdSources
countryListto an allow-listphone-based-mfa.md§ custom policy and § user flowadd-captcha.mdconditional-access-user-flow.mdphone-based-mfa.md§ Create a phone-based MFA events workbook