Multifactor authentication via SMS is vulnerable to bot attacks, potentially leading to high costs from automated account creations. To mitigate risks, it's recommended to disable SMS MFA, implement stronger bot protection, or disable sign-ups. If attacked, quickly identify and delete bot-created accounts using Azure portal and PowerShell scripts to manage user identities.

We Are .NET

Bot attacks on Azure AD B2C can exploit SMS/phone call MFA during sign-up to create thousands of fake accounts, incurring significant costs. To mitigate this, disabling SMS MFA in favor of TOTP, enabling bot protection (e.g., Cloudflare), or disabling sign-up entirely are recommended. For cleaning up bot-created accounts, a step-by-step guide walks through exporting affected users via the Azure portal, setting up an app registration with User Administrator role, and running a PowerShell script using the Microsoft Graph API batch endpoint to bulk-delete the users. The app registration should be deleted after use.

[HOWTO] Delete users created by bots in Azure AD B2C