[HOWTO] Delete users created by bots in Azure AD B2C

Unfortunately, multifactor authentication (MFA) method SMS/phone call is still widely used. What not everyone knows is that text messages (SMS) / phone calls incur costs (see SMS pricing tiers by country/region for more details). Azure AD B2C is a popular target for bot attacks. If sign-up and MFA method SMS/phone call are both enabled, bots can easily create thousands, millions of accounts. Even if SMS/phone call is not enabled the huge amount of accounts can cause a denial of service. During sign-up, SMS/phone call MFA is set up and for mobile number verification purposes, an SMS is sent / phone call is done. SMS/phone call MFA is also triggered when logging in with such an account. In this way, automated attacks can result in high costs.

One of the following measures can be taken to mitigate this risk.

• Disable multifactor authentication (MFA) method SMS and phone call and instead enable time-based one-time password (TOTP)
• Set up bot protection as for example provided by Cloudflare
• Disable sign-up completely if applicable
• …

NOTE
Adding/enabling captcha doesn’t really help as the bots are able to solve the captcha after some time.

DO NOT disable MFA completely!

In case you got attacked, you will find a huge number of newly created accounts/identities in your Azure AD B2C tenant. The easiest way to identify them is as follows.

• Open the Azure portal in your browser
• Switch directory to the Azure AD B2C tenant
• Open Azure AD B2C resource
• Navigate to Users
• Filter by CreationDate (i.e. CreationDate > {day before attack})
• Export the filtered list of users as CSV

As soon as you have the CSV file containing the users/identities created by the bots, proceed as follows.

1. Execute steps 1 to 11 of [HOWTO] Change UPN/username of user in AAD B2C
   NOTE: User.ManageIdentities.All is not required
2. Navigate back to Home
3. Open Azure AD B2C resource
4. Navigate to Manage > Roles and administrators
5. Search for User Administrator
6. Click Add assignments
7. Search for the app registration created before
8. Add
9. Execute the following PowerShell script to delete the users in the CSV

#Requires -Modules @{ ModuleName="Microsoft.Graph.Authentication"; ModuleVersion="2.35.1" }
$csvContent = [System.IO.File]::ReadAllLines("path-to-csv-file") | ConvertFrom-Csv
$batchRequests = [System.Collections.Generic.List[System.Collections.Hashtable]]::new()
foreach ($user in $csvContent) {
    $batchRequests.Add(@{
        id     = $user.id
        method = 'DELETE'
        url    = "/users/$($user.id)"
    })
}
$clientSecret = "client-secret-here"
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "client-id-here", (ConvertTo-SecureString -String $clientSecret -AsPlainText -Force)
Connect-MgGraph -TenantId "tenant-id-here" -Credential $cred
function Invoke-MgGraphBatchRequest
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable[]])]
    param (
        [Parameter(Mandatory = $true)]
        [AllowEmptyCollection()]
        [System.Collections.Hashtable[]]
        $Requests,
        [Parameter()]
        [switch]
        $AsList
    )
    $batchResponses = [System.Collections.Generic.List[System.Collections.Hashtable]]::new()
    for ($i = 0; $i -lt $Requests.Count; $i += 20)
    {
        $batchRequestSized = $Requests[$i..([Math]::Min($i + 19, $Requests.Count - 1))]
        $request = @{
            requests = $batchRequestSized
        }
        Write-Verbose -Message "Sending BATCH Request starting at $i out of $($Requests.Count) with:`r`n$($request | ConvertTo-Json -Depth 10))"
        $batchResponses.AddRange([System.Collections.Hashtable[]](Invoke-MgGraphRequest -Method POST `
            -Uri 'beta/$batch' `
            -Body ($request | ConvertTo-Json -Depth 10) `
            -ErrorAction SilentlyContinue).responses)
        Start-Sleep -Seconds 3
    }
    if ($AsList)
    {
        return $batchResponses
    }
    return $batchResponses.ToArray()
}
$batchResponses = Invoke-MgGraphBatchRequest -Requests $batchRequests -Verbose
$batchResponses | Select-Object -Property status, id

The before created app registration must be deleted as it’s not required and because it does not make use of best practices.

Delete the before created app registration!

This attack vector does not only apply to Azure AD B2C but to all identity providers allowing self sign-up and SMS/phone call MFA.

Kudos to Fabien Tschanz for providing the PowerShell script!