We currently have an Azure B2C tenant configured so that external users can log into our website. We currently use user flows for the basic scenarios (sign-in, sign-up, password reset, etc.), but in the past, we've added a couple of Microsoft's custom policy samples to add additional functionality, such as letting the user change their MFA phone number.
https://github.com/azure-ad-b2c/samples
And we've deployed them using Microsoft's own quick deploy tool: https://b2ciefsetupapp.azurewebsites.net/
However, recently we're running into an issue deploying the mfa-email-or-phone sample with the same method. After authenticating on the custom policies site, we're redirected to a 404 error page with this message: "This b2ciefsetupapp.azurewebsites.net page can’t be found". The URL it's trying to redirect to contains a base64 encoded message that translates to the following:
A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000222: The provided client secret keys for app '
[client_id]' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 0ede3c81-f18c-4b9d-9033-dc9d4e1b9a00 Correlation ID: 3c5fd607-9036-47b7-bdf7-cef182c72ee9 Timestamp: 2025-09-22 19:54:18Z
The thing is, the '[client_id]' listed does not match the client ID of any of our registered apps in the tenant, so I don't know what this is referring to.
Does anyone have any idea why it's not working? We're not familiar with how custom policies work in B2C and are pretty dependent on this tool to import them into our tenant. I did see a note on the GitHub page's README that mentions the repo is no longer being actively maintained due to B2C's discontinuation, so I don't know if that has anything to do with it.
At the end of the day, we simply want to give our users a choice between either using their email address or getting a text at their phone number whenever they need to use MFA to login to our website. Could anyone let us know the simplest, best way to accomplish this? Much appreciated.
