![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 76%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, get one method working at a time using the official B2C custom-policy samples, then combine them behind a simple “pick SMS or Authenticator” step. Known-good recipe: 1) Start from the “SocialAndLocalAccountsWithMfa” (phone/SMS) starter pack and the “LocalAccounts_TOTP” sample; upload Base/Extensions/RP files, create the two B2C apps (IdentityExperienceFramework + ProxyIdentityExperienceFramework) with API permissions and grant admin consent, and create the required policy keys (at minimum the SMS/MFA key and a TOTP encryption key). 2) Verify SMS first: in your Extensions file keep the built-in PhoneFactor technical profile; make sure you didn’t rename your tenant in the metadata, and that your MFA key exists; run the sign-in policy and confirm you receive and can verify the code. 3) Add TOTP: add an extension attribute to store the TOTP secret (e.g., extension_totpSecret) and copy the TOTP technical profiles and claims transformations from the sample (enroll = generate secret + show QR; verify = validate code); add orchestration steps that (a) if secret exists → verify, else → enroll; test end-to-end. 4) Combine methods: insert a DisplayControl (or a Boolean choice claim) step that lets the user pick SMS or Authenticator; use preconditions to branch to PhoneFactor or to the TOTP verify/enroll steps; persist the chosen method if you want a default next time. 5) Typical blockers: missing admin consent on the two B2C apps; missing policy keys; extension attribute not created (so writes to the directory fail); wrong tenant name/issuer in metadata; misordered orchestration steps; using “user flows” instead of “custom policies”; or no Application Insights hooked to IEF (enable it and read the detailed exception to see exactly which TP/CT failed). If you paste your current Extensions/RP snippets (the PhoneFactor TP, the TOTP TPs/CTs, and the orchestration steps) I can pinpoint the exact fix, but following the sequence above with the official samples almost always gets SMS and TOTP working in under an hour.