It seems that the "Forgot your password?" link on the Azure B2C Sign in page does not invoke the defined Password Reset Policy when using a SignUp/SignIn policy.
Is Microsoft working on resolving this issue? or has anyone found a way to get the password reset policy to run from the link?
I can run the Password Reset endpoint from within the Azure B2C portal, but can not get to this endpoint from my application. I get sent to https:///.auth/login/aad/callback with a "You do not have permission to view this directory or page." message.
It seems like the Azure B2C workflow is wrong for the Forgot password URL. Does anyone have an idea when this might get fixed? I am using a Sign Up/Sign In policy.
Related
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
I have configured a Sign in custom policy in Azure B2C. Customer wants lock out the account if they enter wrong password three times during sign in.
I have tried Password Protection in Azure Azure B2C authentication. Follows below document to configure the password protection.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management
I have entered the password many times and it still showing "The username or password provided in the request are invalid"
Can anyone help me to troubleshoot this issue.
Thanks in advance!
Password Protection Configuration
Issue summary:
msal.logout() appears to log the user out, but after "logging out" the user can click "login" and be logged in again without being required to enter their username and password.
This is a serious security issue for user's who login to our application on a public computer, then logout thinking that they have prevented someone from accessing their account.
Frontend is using Angular-msal 1.0.0 (Angular-oauth2-oidc has the same issue, so I think it's not the problem of js library).
Azure AD B2C built in user flow and xml custom policy both have this logout issue when login with federated AAD tenant user.
Any help would be appreciated.
Thanks.
The MSAL library provides a logout method that clears the cache in browser storage and sends a sign-out request to Azure Active Directory (Azure AD). Request will be done against the end_session_endpoint URL obtained from the B2C policy metadata. Keep in mind single sign out is supported only by custom policies and that it's scoped to the same browser, not device.
Just in case you are still facing any issue an idea would be to redirect using &prompt=loginin your auth url will revoke your login request with out user session.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
I'm using Active Directory B2C with local identity supplier with username and the directives that I'm using are: Sign-up or sign-in policies, Password reset policies both with Custom Templates.
When I try to recover the password everything works out fine until I do the verification code. When the verification code works in the e-mail and then press "continue" this is the error that's presented:
Bad Request
URL:
https://login.microsoftonline.com/prosamx.onmicrosoft.com/B2C_1_ResetPwd/api/SelfAsserted/error?code=UX016&desc=OK&csrf_token=Y1BjMjF2TjdMVm5MbXhyLyt4MHFzUlVsQzcyUXA2VVVZUDVoQml6S20xL2JQd3ppbHZadTBVaHl2ZTlMMUx1YkJSUkZTeVhnY2grL2lPZ3F1OE92Q1E9PTsyMDE3LTA1LTAyVDE4OjQ4OjQ2LjM5MTU4NDRaO09ZV2hNTEpoT2RYMUQwWllkLzVoSlE9PTt7IlRhcmdldEVudGl0eSI6IlBhc3N3b3JkUmVzZXRVc2luZ1VzZXJOYW1lRXhjaGFuZ2UiLCJPcmNoZXN0cmF0aW9uU3RlcCI6Mn0=&tx=eyJUSUQiOiI4MGRjODIwMC05MjA1LTRlODEtOTIyNy00NTNkMzRjNGQ3ZTUifQ&p=B2C_1_ResetPwd
This happens when used the username at the local identity provider
I hope you can help me out.
Thanks, regards.
Password reset depends on a StrongAuthenticationEmail property on the user object and uses that to verify to do the Email address based OTP before allowing a self-service Password Reset.
If your users used the signup flow we ship out of the box to register, when the signup flow verifies the email address, b2c writes that into the StrongAuthenticationEmail property.
Based on looking at your tenant, itseems the users do not have this property set. For userName based accounts, without this property there is no other way to do self-service password reset. This can happen because the user's were created by a flow that directly calls AAD Graph API outside of the signup flow we offer, or you have turned off email address validation as part of the signup flow.
Thank you for reporting this issue - we will fix the error message so that it clearly states what the problem is for self-diagnosis.
Thank you,
Vikram.
I am getting a similar unhelpful error of "Bad Request" on signup. I verify the email address via the verification code, fill out all the fields and then bam - get the error.
https://login.microsoftonline.com//B2C_1_Login-UserName/api/SelfAsserted/error
?code=UX016
&desc=OK
&csrf_token=
&p=B2C_1_Login-UserName