My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
Related
Current Implementation
I am using the Recommended Sign Up and Sign In Userflow in Azure ADB2C.
I have selected the option of self-service password reset under Properties.
User is able to reset their password successfully.
Problem Facing
After resetting the password, the user is logging in directly into the application.
Expected Flow
I want the user to enter their credentials and login after resetting their password.
I want to force the user to login after resetting their password.
Is there any way to achieve this?
You can do this with custom policies where the password reset journey forces a login before returning the JWT.
I agree with #rbrayb, you need to use custom policies in achieving your scenario. Just adding few snapshots and references to give better idea.
I tried to reproduce the same in my environment and got below results
I have one Sign up and sign in userflow where I enabled self-service password reset option same as you like below:
Enabling self-service password reset option allows end users to reset their password through the ‘Forgot your password’ link.
When I ran the userflow, I selected "Forgot your password" link to reset the password of particular user like below:
You need to verify your email address first, after which it displays below page to reset the password:
When Continue option is selected, it took the user directly to the redirect URL of application once done with resetting the password like below:
As this is the default behaviour, you cannot force login users after password reset using userflows.
Instead you can customize your flow using custom policies as suggested by #rbrayb that forces user to login again after password reset.
You can go through below references on using custom policies to force login users after password reset.
Azure B2C force login after password reset sub journey - Stack Overflow by sabique
samples/policies/password-reset-only at master · azure-ad-b2c/samples (github.com) by yeolhor
In short: how to set up Azure B2C to pre-create users and invite them to set their initial password (rather than reset it).
We have public facing website that an organisation can pay for and it gives them access to their own area. We add one or more user's email addresses to our database to grant them a login. Privileged users at the organisation can invite other users to grant them access to their organisation's area.
We wish to move our authentication, session and password management from a home grown solution to Azure AD B2C.
A new user currently receives a friendly invitation email with a hyperlink that contains a token that gives them permission to set their password.
We could create a custom policy to handle this but I really don't want to go down that route due to their complexity and shelf life.
The only way that I've found "out of the box" is to create the user in Azure AD (not problem with that), set a temporary password and email them an invite asking them to "reset" their password. The reset part is very unclean as they are not resetting their password, they are setting their initial password and this will be confusing.
Also note that we do not want the user to be able to change their email to something like a hotmail account, as the admin must be in charge of this to ensure they use their work email.
All help appreciated.
Andy
• In your scenario, I would suggest you configure an application registration in Azure AD B2C and configure user flows in it for resetting the password for every user logging in it. Also, while registering an application in Azure AD B2C, you can select the option for ‘Accounts in this organizational directory only (Default Directory only - Single tenant)’ and integrate it with your website in the frontend API such that the user flow to reset the password after verifying the email address comes up for every user.
For the above said configuration, kindly refer to the below documentation link for more details as it describes the configuration for registering users of a single tenant/organization: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
Also, refer to the below documentation link for resetting the initial temporary password using the user flow section as setting up a user flow is a very simple process as described below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow
I have created a built in sign in user flow for users to sign in.
I am creating users thru power shell script where i have used ForceChangePasswordNextLogin to true. I was expecting users will be shown password change page when they login for the first time, but i always get "Password Expired" error.
Could anyone provide some inputs on this ?
While creating local accounts in B2C via Graph API/powershell, the forceChangePasswordNextSignIn property must be set to false. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api#password-profile-property. This generates a temporary password, which is marked as expired and requires the user to provide a new password. Since, in Azure AD B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password or set forceChangePasswordNextSignIn = true for consumer accounts.
As of now, the only possible way to require users to reset their passwords at first logon is by using custom policy: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon.
I am moving from an Asp.Net identity management to Azure AD B2C. I added the existing user through Graph API and gave the user some random password as of now in stage. Is it possible to use the old password of the user (I cannot get the existing password from my database). I remember in one of the talks of Azure AD B2C, they get the password by back tracking the request though I am not clear about it.
What is the best strategy to move to Azure AD B2C with minimum password friction?
I used the approach described here (Just-In-Time migration source code)
pre-migrate users with auto-generated password
create an API to check user credentials from the old user store (Microsoft Docs)
add the API call to the Technical Profile in the SignIn Policy so every time a user tries to sign in, the credentials will be checked against the old user store (Microsoft Docs)
add the API the privilege to change the password if the old credentials are verified (see my response to this post) or impersonate the user (if you safely stored the auto-generated passwords in somewhere secure place)
you user credentials were updated 'just-in-time' so your user will not notice this change on the fly
I don't think you can get the password out from ASP.NET identity management, since the password is hashed.
As a migration strategy, you could create the Azure B2C users, from your existing authentication logic backend in ASP.NET identity management, upon successful login, since users are sending their usernames and passwords for authentication. Once all the users are moved, you can shift to Azure B2C login.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..