// the find
FredMurphy/SphereB2C
Azure AD B2C calling Azure Sphere for Multi-Factor Authentication
A demo project wiring Azure Sphere hardware (NFC reader, physical buttons) into Azure AD B2C as a custom MFA factor. The auth flow goes B2C → Azure Function → IoT Hub direct method → Sphere device → response back up the chain. Interesting concept for hardware-backed auth, but explicitly demo-quality and last touched in late 2022.
The architecture is actually well-decomposed: B2C custom policy XML, a thin Azure Function as the webhook, and the device code are all separate projects with clear boundaries. Using IoT Hub direct methods as the transport between cloud and device is the right call — it avoids polling and handles the device connectivity layer. The IEF custom policy XMLs are included, which is the hardest part to find working examples of. The 10-second timeout on the device side is a sensible UX decision.
Azure AD B2C is being retired (Microsoft is migrating customers to Entra External ID), so this is being built on a foundation with an end-of-life date. The NFC tag ID matching is done by storing the raw hex ID in a B2C extension attribute — no challenge-response, so tag cloning defeats the MFA entirely. The secrets.h file in the device code is a hardcoded-credentials pattern that will bite anyone who forks this. No error path if the Sphere device is offline — it's unclear whether B2C fails open or closed in that case, which is the most important security question for this whole setup.