I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
Related
We are using Azure AD B2C for a Web-Application and we want to provide a link/button/whatever to the users so that they can change thier password whenever they like.
I've found that Password Reset flow, but thatone wants to send me a verification code etc. as if I've forgotten my password.
I've also found that ForceChangePasswordNextLogin Graph API attribute. I can set that, and at the next login, it asks me to change my password by providing the old one, exaclty as I want, but I don't want do force my users to logout and log back in again.
Does anyone know how I can put plain old simple "Change Password"(not Reset!) functionality into Azure B2C?
You need to use custom policies
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?pivots=b2c-custom-policy
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
I am trying to use Azure AD B2C: Force password reset first logon
to implement the Password reset on initial login. I am using a username to sign in to the application and NOT Email address. When I sign-in using my username, I am not getting redirected to the password reset page and the custom attribute is not cleared.
I am using Graph API to set the custom attribute Extenstion_000000000000000000000000000000000_ForcePasswordResetOnInitialLogin with user creation. Can you please direct me where I am doing this wrong?
I would like the user to sign in for the first time and get redirected to reset the password and clear the custom attribute.
Note: I am using Sign in using Username and there is no user signup. All users are created by Graph API.
Force Password change works only with Sign-in policy. It does not work with SignInSignUp policy. Have a look at the discussion here
This feature is planned for implementation.
I tested this sample you shared and it works fine for me.
So if you are not getting re-directed to the password reset page, the reason should be that you haven't configured the UserJourney "SignUpOrSignIn" correctly.
Please add the code of step 7 and step 8 (line 188 to 233) into your UserJourney "SignUpOrSignIn" in your TrustFrameworkExtensions.xml or TrustFrameworkBase.xml file. And note that if you add the code into TrustFrameworkBase.xml, you should also add the TechnicalProfile "AAD-UserRemoveMustResetPasswordUsingObjectId" to the corresponding location of the TrustFrameworkBase.xml file.
I’ve implemented the password change custom policy according to the documentation and use msal.js on the frontend to start the password change flow. This works accept that the user needs to sign in again although the user is already signed in to the application. So it asks the user credentials every time. Why isn’t B2C detecting that the user has already signed in and how can I solve this?
Thanks!
MSAL.js is setting the prompt parameter, therefore, forcing B2C to ignore the cookie, therefore, forcing the sign-in.
const urlNavigate = authenticationRequest.createNavigateUrl(scopes) + "&prompt=select_account" + "&response_mode=fragment";
Source
You can verify this by taking the URL MSAL.js redirects the user to and removing the prompt query parameter.
Related GitHub Issue: Allow Controlling the prompt parameter. We need to convince the MSAL library owners we need control over this parameter.
If you are trying to test through the B2C Custom Policies "Run now" endpoint, just remove the &prompt=login query parameter from the link. If you are already logged in it will skip the login, if you are not, it will still prompt for your credentials.
Credit to Jas Suri: Azure B2C EditProfile custom policy without Signing In first
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..