I'm trying to change the way the password is reset by the user on Azure AD B2C.
Today, the user receives a code by email, and he has to paste it.
My client wants the user to receive an email with a link to type a new password.
You can modify the policy to achieve their scenario.
You need to use "magic links" as described here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
Please let me know if you still need any help.
Related
In short: how to set up Azure B2C to pre-create users and invite them to set their initial password (rather than reset it).
We have public facing website that an organisation can pay for and it gives them access to their own area. We add one or more user's email addresses to our database to grant them a login. Privileged users at the organisation can invite other users to grant them access to their organisation's area.
We wish to move our authentication, session and password management from a home grown solution to Azure AD B2C.
A new user currently receives a friendly invitation email with a hyperlink that contains a token that gives them permission to set their password.
We could create a custom policy to handle this but I really don't want to go down that route due to their complexity and shelf life.
The only way that I've found "out of the box" is to create the user in Azure AD (not problem with that), set a temporary password and email them an invite asking them to "reset" their password. The reset part is very unclean as they are not resetting their password, they are setting their initial password and this will be confusing.
Also note that we do not want the user to be able to change their email to something like a hotmail account, as the admin must be in charge of this to ensure they use their work email.
All help appreciated.
Andy
• In your scenario, I would suggest you configure an application registration in Azure AD B2C and configure user flows in it for resetting the password for every user logging in it. Also, while registering an application in Azure AD B2C, you can select the option for ‘Accounts in this organizational directory only (Default Directory only - Single tenant)’ and integrate it with your website in the frontend API such that the user flow to reset the password after verifying the email address comes up for every user.
For the above said configuration, kindly refer to the below documentation link for more details as it describes the configuration for registering users of a single tenant/organization: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
Also, refer to the below documentation link for resetting the initial temporary password using the user flow section as setting up a user flow is a very simple process as described below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow
We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
We are using Azure AD B2C for a Web-Application and we want to provide a link/button/whatever to the users so that they can change thier password whenever they like.
I've found that Password Reset flow, but thatone wants to send me a verification code etc. as if I've forgotten my password.
I've also found that ForceChangePasswordNextLogin Graph API attribute. I can set that, and at the next login, it asks me to change my password by providing the old one, exaclty as I want, but I don't want do force my users to logout and log back in again.
Does anyone know how I can put plain old simple "Change Password"(not Reset!) functionality into Azure B2C?
You need to use custom policies
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?pivots=b2c-custom-policy
I have a project, implemented using react js and Azure B2C. For sign-in and password reset, I used azure built-in user policies. What I want is when I add a user with the 'create Zure Ad B2C user' option, I want the user to get an email (An invite). As I know B2C doesn't have this function yet. I found out that this might be solved by a custom policy. But I don't know how. Can anyone help me with this? Thanks in advance.
This type of process would not be handled by the B2C flows. A user creation task cannot be tied to an email being sent out from our service. You would rather follow something like this:
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
You would create the user via portal or Graph API. Then generate a link and send it via a mail provider to the users email containing the link to compete the registration, eg providing their password.
Agree with #Jas.
Have a look here to see something similar for the invite flow.
Note that you should use "id_token_hint" rather than the older "client_assertion".
Is there a way to create a link/URL that directs to the password reset policy, but skips the email verification part (directly to entering the new password), by implanting some kind of token to the URL?
e.g. https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_password_reset&client_id=...&email=myemail#gmail.com&signature=....
(By verifying the signature field, the user flow will let me skip email verification, and use the email from the email field instead).
The reason I need it, is because as part of a migration process from an old system that doesn't use Azure B2C to a new system that does, we want to migrate users by creating an Azure AD B2C account for them via Graph API with an obscure password, and then send them an email that would direct them to the password reset policy.
Once they click on the link that was sent to their email, it would be redundant to ask them to insert and verify their email.
Is what I'm asking possible?
You are able to send claims, such as the e-mail address for an end user, to a custom policy using a signed token.
An example of this can be found in the Azure AD B2C samples.