private string GetEmailAddressFromExternalLoginResult(AuthenticateExternalLoginResult result, out string errorReason)
{
try
{
var userInformation = result.Authenticator?.GetIdentityInformation(result.ExternalIdentity);
errorReason = null;
return(userInformation.Email);
}
catch (ArgumentException ex)
{
errorReason = ex.Message;
return(null);
}
}
internal bool ShouldEnforceMultiFactorAuthentication(AuthenticateExternalLoginResult result)
{
if (result?.Authenticator == null || result.Authentication == null)
{
return(false);
}
// Enforce multi-factor authentication only if:
// 1. The authenticator supports multi-factor authentication, otherwise no use.
// 2. The user has enabled multi-factor authentication for their account.
// 3. The user authenticated with the personal microsoft account. AAD 2FA policy is controlled by the tenant admins.
// 4. The user did not use the multi-factor authentication for the session, obviously.
return(result.Authenticator.SupportsMultiFactorAuthentication() &&
result.Authentication.User.EnableMultiFactorAuthentication &&
!result.LoginDetails.WasMultiFactorAuthenticated &&
result.Authentication.CredentialUsed.IsExternal() &&
(CredentialTypes.IsMicrosoftAccount(result.Authentication.CredentialUsed.Type)));
}
