I am using b2c custom policy, when user logged in -> reset password-> enter signin name and email address -> receives verification code -> validate code -> click on continue it throws my custom error which I setup under "UserMessageIfClaimsTransformationStringsAreNotEqual" key.
I have verified email address its correct for user in b2c. I am using signin thorugh username not email address.
I am not sure what other reason its failing for? Also, I wanted to know if there is any way to avoid email address verification part (we have some users without email address)?
Thanks.
Related
I am using azure b2c for IAM and in that I have configured Sign up and sign in user flow for the website. In the user flow I have enabled Self-service password reset, which helped to use this user flow for forgot password journey as well.
When I try forgot password flow using unregistered email address, OTP is getting sent to that email address and OTP is getting verified as well but instead of getting message "An account could not be found for the provided user ID." I am getting undefined error message. This works fine if I use separate user flow for forgot password.
I tried to reproduce the same in my environment and got below results:
I have one Sign up and sign in user flow where I enabled Self-service password reset like below:
When I ran the above user flow, I got the screen with Forgot your password? like below:
After selecting Forgot your password?, I entered unregistered email and got code like below:
When I selected Continue, I got the same error as you like below:
Note that, in a sign-up and sign-in journey, only registered user can reset their own password by using Forgot your password? link. Make sure to register the user first before using that link.
So, I registered that user by selecting Sign up now option in user flow and entered details like below:
Now I ran the user flow again and selected Forgot your password? by entering the above registered email and it verified like below:
When I selected Continue, it took me to Password Reset page successfully like below:
You need to use custom policies to customize the error you got when unregistered user email is entered in Forgot password? link.
You can also collect your B2C logs with Application Insights. But this feature only supports custom policies, not user flows.
Reference:
Troubleshoot custom policies with Application Insights - Azure AD B2C
We have been implementing Azure AD B2C into our customer portal website to handle the authentication of customers.
Recently, during some testing, I've noticed that we have been getting MFA requests in the Reset Password, which is fine other than the fact that you need to verify your email twice, it's just annoying.
However, I noticed that in a different User Flow, this didn't happen.
All the settings on the User Flows were exactly the same, except that one uses custom pages layouts, and the other uses the default layout.
The User flow with custom layouts are requesting MFA when resetting the password, so the steps in this flow are:
Click on forgot password link
Verify your email
Multifactor Authentication step (verify your email, again)
Change your password.
Whereas in the User Flow with no custom layouts the steps are the same but there is no step 3. So it goes like:
Click on forgot password link
Verify your email
Change your password
I have no idea why this is. All the settings are the same. The website is the same, the IP is the same, the account is the same. The ONLY difference is that one has custom pages and the other does not.
We want the customers to have a good experience through the reset password, and asking to verify the email 2 times when they are the same step is not the best experience.
Anything we could do to stop this or have it act differently?
When it comes to  verify your email twice the default behavior for Password Reset flow is that you need to put you email and get the code sent to your email and once the code is entered, you would be asked to enter the new password and confirm new password. But if you enable MFA for your SignUp-SignIn policy, and then try to reset the password, you would first go by the default flow for SSPR, enter your email address and get the code sent to your email and second, once you enter the code the next page is the MFA page, that would bring up the MFA method that is selected in the SignUp-SignIn Policy
As suggested by #junnas please check and try disabling the MFA enforcement on Password reset user flow in your Azure AD B2C directory.
Is there a way to create a link/URL that directs to the password reset policy, but skips the email verification part (directly to entering the new password), by implanting some kind of token to the URL?
e.g. https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_password_reset&client_id=...&email=myemail#gmail.com&signature=....
(By verifying the signature field, the user flow will let me skip email verification, and use the email from the email field instead).
The reason I need it, is because as part of a migration process from an old system that doesn't use Azure B2C to a new system that does, we want to migrate users by creating an Azure AD B2C account for them via Graph API with an obscure password, and then send them an email that would direct them to the password reset policy.
Once they click on the link that was sent to their email, it would be redundant to ask them to insert and verify their email.
Is what I'm asking possible?
You are able to send claims, such as the e-mail address for an end user, to a custom policy using a signed token.
An example of this can be found in the Azure AD B2C samples.
I'm using Active Directory B2C with local identity supplier with username and the directives that I'm using are: Sign-up or sign-in policies, Password reset policies both with Custom Templates.
When I try to recover the password everything works out fine until I do the verification code. When the verification code works in the e-mail and then press "continue" this is the error that's presented:
Bad Request
URL:
https://login.microsoftonline.com/prosamx.onmicrosoft.com/B2C_1_ResetPwd/api/SelfAsserted/error?code=UX016&desc=OK&csrf_token=Y1BjMjF2TjdMVm5MbXhyLyt4MHFzUlVsQzcyUXA2VVVZUDVoQml6S20xL2JQd3ppbHZadTBVaHl2ZTlMMUx1YkJSUkZTeVhnY2grL2lPZ3F1OE92Q1E9PTsyMDE3LTA1LTAyVDE4OjQ4OjQ2LjM5MTU4NDRaO09ZV2hNTEpoT2RYMUQwWllkLzVoSlE9PTt7IlRhcmdldEVudGl0eSI6IlBhc3N3b3JkUmVzZXRVc2luZ1VzZXJOYW1lRXhjaGFuZ2UiLCJPcmNoZXN0cmF0aW9uU3RlcCI6Mn0=&tx=eyJUSUQiOiI4MGRjODIwMC05MjA1LTRlODEtOTIyNy00NTNkMzRjNGQ3ZTUifQ&p=B2C_1_ResetPwd
This happens when used the username at the local identity provider
I hope you can help me out.
Thanks, regards.
Password reset depends on a StrongAuthenticationEmail property on the user object and uses that to verify to do the Email address based OTP before allowing a self-service Password Reset.
If your users used the signup flow we ship out of the box to register, when the signup flow verifies the email address, b2c writes that into the StrongAuthenticationEmail property.
Based on looking at your tenant, itseems the users do not have this property set. For userName based accounts, without this property there is no other way to do self-service password reset. This can happen because the user's were created by a flow that directly calls AAD Graph API outside of the signup flow we offer, or you have turned off email address validation as part of the signup flow.
Thank you for reporting this issue - we will fix the error message so that it clearly states what the problem is for self-diagnosis.
Thank you,
Vikram.
I am getting a similar unhelpful error of "Bad Request" on signup. I verify the email address via the verification code, fill out all the fields and then bam - get the error.
https://login.microsoftonline.com//B2C_1_Login-UserName/api/SelfAsserted/error
?code=UX016
&desc=OK
&csrf_token=
&p=B2C_1_Login-UserName
I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.