Does Azure provide any capability to programmatically login, reset password or device authenticate like AWS Cognito?

Question

I have a web app that has a group of users in Azure AD and I'd like to authenticate against that via username/password but customize the solution with my own styled login screen and have device authentication similar to how AWS Cognito has the OTP/MFA.

User flow I seek:

1. User goes to my website
2. I provide my own login form
3. Said form would theoretically use the same functionality that AWS Cognito provides to login programmatically with no microsoft flow or redirects
4. Either using Azure capabilities/API or my own, I do a device authentication for MFA

So, looking at the list of flows provided:

What are the possible flows that I can use to accomplish what I need?

1. The username/password "password" grant only works if MFA is disabled, so one scenario I can envision is possible combining this with my own code that does MFA (and possibly using MS Authenticator). It also doesn't seemingly work for resetting passwords.

2. The interactive flow is the standard flow and would show the default MS page along with MFA but it wouldn't be customizeable

3. Would a custom flow be possible, or a device code flow and would this be limited to just a B2C tenant?

4. Is it possible to setup Azure AD as a federated identity and hook into Cognito's methods to do this? I assume not because authentication needs to be against the original identity provider and it seems like it can only work the reverse (a cognito user gets access to Azure).

It seems like the only possible solution would be using Azure's ROPC with a username/password password grant API endpoint combined with my own device authentication, but this wouldn't account for password resetting nor does it seemingly provide any api device auth methods?

Thanks in advance

Answer 1

Customizing login page in Azure AD (not B2C) is currently limited to Branding update. But that is available only in Premium tier.

You can upvote the feedback here.

Another option is Resource Owner Password Credentials with your own page but Microsoft recommends NOT to use ROPC flow. Also MFA would not work in ROPC.

When you said "The username/password "password" grant only works if MFA is enabled", not sure if I could follow that! Can you explain?

And, custom user flow is only limited to B2C. https://learn.microsoft.com/azure/active-directory-b2c/