MFA for Azure phone number transform

Hello all,

I ran into an issue while testing and was hoping someone either already figured this out or if there are any recommendations.

My Workday team provides four attributes for phone numbers and I want to do a first valid in addition to applying a transform for formatting. Here is an example:

Workday gives the following: +1 (512) 555-1212

Azure AD needs the format to match +1 5125551212 for MFA

I am not the best at creating transforms; here was my attempt.

Summary: First valid against the 4 attributes in Workday, e.164 format then regex against all country codes to add the space between the country code and the number.

{
    "type": "replace",
    "name": "Prioritized Azure MFA Phone",
    "attributes": {
"regex": "^(\\+998|\\+996|\\+995|\\+994|\\+993|\\+992|\\+977|\\+976|\\+975|\\+974|\\+973|\\+972|\\+971|\\+970|\\+968|\\+967|\\+966|\\+965|\\+964|\\+963|\\+962|\\+961|\\+960|\\+888|\\+886|\\+880|\\+856|\\+855|\\+853|\\+852|\\+850|\\+808|\\+800|\\+692|\\+691|\\+690|\\+689|\\+688|\\+687|\\+686|\\+685|\\+683|\\+682|\\+681|\\+680|\\+679|\\+678|\\+677|\\+676|\\+675|\\+674|\\+673|\\+672|\\+670|\\+599|\\+598|\\+597|\\+596|\\+595|\\+594|\\+593|\\+592|\\+591|\\+590|\\+509|\\+508|\\+507|\\+506|\\+505|\\+504|\\+503|\\+502|\\+501|\\+500|\\+423|\\+421|\\+420|\\+389|\\+387|\\+386|\\+385|\\+383|\\+382|\\+381|\\+380|\\+379|\\+378|\\+377|\\+376|\\+375|\\+374|\\+373|\\+372|\\+371|\\+370|\\+359|\\+358|\\+357|\\+356|\\+355|\\+354|\\+353|\\+352|\\+351|\\+350|\\+299|\\+298|\\+297|\\+291|\\+290|\\+269|\\+268|\\+267|\\+266|\\+265|\\+264|\\+263|\\+262|\\+261|\\+260|\\+258|\\+257|\\+256|\\+255|\\+254|\\+253|\\+252|\\+251|\\+250|\\+249|\\+248|\\+246|\\+245|\\+244|\\+243|\\+242|\\+241|\\+240|\\+239|\\+238|\\+237|\\+236|\\+235|\\+234|\\+233|\\+232|\\+231|\\+230|\\+229|\\+228|\\+227|\\+226|\\+225|\\+224|\\+223|\\+222|\\+221|\\+220|\\+218|\\+216|\\+213|\\+212|\\+211|\\+98|\\+95|\\+94|\\+93|\\+92|\\+91|\\+90|\\+86|\\+84|\\+82|\\+81|\\+66|\\+65|\\+64|\\+63|\\+62|\\+61|\\+60|\\+58|\\+57|\\+56|\\+55|\\+54|\\+53|\\+52|\\+51|\\+49|\\+48|\\+47|\\+46|\\+45|\\+44|\\+43|\\+41|\\+40|\\+39|\\+36|\\+34|\\+33|\\+32|\\+31|\\+30|\\+27|\\+20|\\+7|\\+1)([0-9]+)",        "replacement": "$1 $2",
        "input": {
            "type": "e164phone",
            "attributes": {
                "defaultRegion": "US",
                "input": {
                    "type": "firstValid",
                    "attributes": {
                        "values": [
            {

                "attributes": {

                    "attributeName": "WORK_MOBILE",

                    "sourceName": "Workday"

                },

                "type": "accountAttribute"

            },

            {

                "attributes": {

                    "attributeName": "WORK_TELEPHONE",

                    "sourceName": "Workday"

                },

                "type": "accountAttribute"

            },

            {

                "attributes": {

                    "attributeName": "HOME_MOBILE",

                    "sourceName": "Workday"

                },

                "type": "accountAttribute"

            },

            {

                "attributes": {

                    "attributeName": "HOME_TELEPHONE",

                    "sourceName": "Workday"

                },

                "type": "accountAttribute"
                            }
                        ],
                        "ignoreErrors": "true"
                    }
                }
            }
        }
    }
}

Am I over complicating this and is there possibly a better way?

Please let me know! Appreciate it!

Did the transform work or are you getting an error? Is it not formatting correctly?

I did an ask an architect session where I talked through this scenario and we were able to test this using VSC’s preview option in the transforms. After selecting several users with different country codes we were able to validate that this transform successfully put the numbers in the desired +1 5125551212 format that Azure AD requires for MFA.

Change will be implemented here next week and based on the testing, appears this should resolve my issue.

Hi @jacobshoe

Nice work. Your logic is sound, and validating it in the VS Code transform preview across multiple countries is exactly the right way to de-risk this before rollout.

A shorter approach that’s still correct (practical + maintainable)

Keep your structure (FirstValid → E.164 → add the space). That’s best practice because E.164 normalizes all the punctuation/parentheses/hyphens reliably.

Then, instead of enumerating every calling code, reduce the regex to only the calling codes your org actually

A shorter approach that’s still correct (practical + maintainable)

Keep your structure (FirstValid → E.164 → add the space). That’s best practice because E.164 normalizes all the punctuation/parentheses/hyphens reliably.

Then, instead of enumerating every calling code, reduce the regex to only the calling codes your org actually has.

Example (illustrative): if your population

US/CA/UK only

{
“type”: “replace”,
“name”: “Azure MFA Phone (E164 + Space)”,
“attributes”: {
“regex”: “^(\+1|\+44)([0-9]+)”,
“replacement”: “$1 $2”,
“input”: {
“type”: “e164phone”,
“attributes”: {
“defaultRegion”: “US”,
“input”: {
“type”: “firstValid”,
“attributes”: {
“values”: [
{“type”:“accountAttribute”,“attributes”:{“sourceName”:“Workday”,“attributeName”:“WORK_MOBILE”}},
{“type”:“accountAttribute”,“attributes”:{“sourceName”:“Workday”,“attributeName”:“WORK_TELEPHONE”}},
{“type”:“accountAttribute”,“attributes”:{“sourceName”:“Workday”,“attributeName”:“HOME_MOBILE”}},
{“type”:“accountAttribute”,“attributes”:{“sourceName”:“Workday”,“attributeName”:“HOME_TELEPHONE”}}
],
“ignoreErrors”: “true”
}
}
}
}
}
}

Why I’m

not

recommending a generic “+\d{1,3}” regex

It looks shorter, but it’s not reliable. Country calling codes are variable length (1–3 digits), and without a parser you can’t safely know where the country code ends and the national number begins. Your “explicit code list” is what makes your output correct.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.