Current Implementation
I am using the Recommended Sign Up and Sign In Userflow in Azure ADB2C.
I have selected the option of self-service password reset under Properties.
User is able to reset their password successfully.
Problem Facing
After resetting the password, the user is logging in directly into the application.
Expected Flow
I want the user to enter their credentials and login after resetting their password.
I want to force the user to login after resetting their password.
Is there any way to achieve this?
You can do this with custom policies where the password reset journey forces a login before returning the JWT.
I agree with #rbrayb, you need to use custom policies in achieving your scenario. Just adding few snapshots and references to give better idea.
I tried to reproduce the same in my environment and got below results
I have one Sign up and sign in userflow where I enabled self-service password reset option same as you like below:
Enabling self-service password reset option allows end users to reset their password through the ‘Forgot your password’ link.
When I ran the userflow, I selected "Forgot your password" link to reset the password of particular user like below:
You need to verify your email address first, after which it displays below page to reset the password:
When Continue option is selected, it took the user directly to the redirect URL of application once done with resetting the password like below:
As this is the default behaviour, you cannot force login users after password reset using userflows.
Instead you can customize your flow using custom policies as suggested by #rbrayb that forces user to login again after password reset.
You can go through below references on using custom policies to force login users after password reset.
Azure B2C force login after password reset sub journey - Stack Overflow by sabique
samples/policies/password-reset-only at master · azure-ad-b2c/samples (github.com) by yeolhor
Related
We have been implementing Azure AD B2C into our customer portal website to handle the authentication of customers.
Recently, during some testing, I've noticed that we have been getting MFA requests in the Reset Password, which is fine other than the fact that you need to verify your email twice, it's just annoying.
However, I noticed that in a different User Flow, this didn't happen.
All the settings on the User Flows were exactly the same, except that one uses custom pages layouts, and the other uses the default layout.
The User flow with custom layouts are requesting MFA when resetting the password, so the steps in this flow are:
Click on forgot password link
Verify your email
Multifactor Authentication step (verify your email, again)
Change your password.
Whereas in the User Flow with no custom layouts the steps are the same but there is no step 3. So it goes like:
Click on forgot password link
Verify your email
Change your password
I have no idea why this is. All the settings are the same. The website is the same, the IP is the same, the account is the same. The ONLY difference is that one has custom pages and the other does not.
We want the customers to have a good experience through the reset password, and asking to verify the email 2 times when they are the same step is not the best experience.
Anything we could do to stop this or have it act differently?
When it comes to verify your email twice the default behavior for Password Reset flow is that you need to put you email and get the code sent to your email and once the code is entered, you would be asked to enter the new password and confirm new password. But if you enable MFA for your SignUp-SignIn policy, and then try to reset the password, you would first go by the default flow for SSPR, enter your email address and get the code sent to your email and second, once you enter the code the next page is the MFA page, that would bring up the MFA method that is selected in the SignUp-SignIn Policy
As suggested by #junnas please check and try disabling the MFA enforcement on Password reset user flow in your Azure AD B2C directory.
My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
I have created password reset custom policy in Azure B2C as per the Microsoft document. It asking for entering username and password if we don't have any active sessions. After entering username and password, a window for password reset opens and am able to update the password.
But if there any active session, it directly pop up the password reset page. When i enter old password, new password, confirm password and click on continue button, it showing 'The username or password provided in the request are invalid'.
I have followed all steps exactly as in Microsoft document. Can any one please help me to resolve this issue?
Document I have followed:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?pivots=b2c-custom-policy
Make sure ProxyIdentityExperienceFramework application in TrustFrameworkExtensions.xml of the custom policies has been configured correctly.
Register Identity Experience Framework applications
Add application IDs to the custom policy
I have created a built in sign in user flow for users to sign in.
I am creating users thru power shell script where i have used ForceChangePasswordNextLogin to true. I was expecting users will be shown password change page when they login for the first time, but i always get "Password Expired" error.
Could anyone provide some inputs on this ?
While creating local accounts in B2C via Graph API/powershell, the forceChangePasswordNextSignIn property must be set to false. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api#password-profile-property. This generates a temporary password, which is marked as expired and requires the user to provide a new password. Since, in Azure AD B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password or set forceChangePasswordNextSignIn = true for consumer accounts.
As of now, the only possible way to require users to reset their passwords at first logon is by using custom policy: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon.
I was Login as a Global Administrator i was select the user and try to reset the password. but, the password reset button is disabled. how can i enable the reset password button. Azure AD.
i was disable any permission in dashboard or any other reason for disable in reset password. Anyone know share me.
Thanks in Advance.
I think the user that you want to reset password for is an external user.
You cannot reset the password for the users that from external, such as guest users
You can reset internal users that are in your Azure AD .External users can reset their passwords by themselves in the login website.
If the user account in question is an internal user, i.e the user UPN would end with either the default domain of the tenant or a verified custom domain – you would be able to reset the password as a GA. However, if the user belongs to another tenant you would not have the access to reset the password. Also, the same applies to Guest Users as explained by Wayne.
In this case, you could ask the user in question to visit https://aka.ms/sspr for Self Service Password Reset.