How do I reset a user's password when using custom policies? Based upon this thread, I can't use portal.azure.com as it assigns a temporary password that must be changed on next sign-in.
Am I forced to use the graph api? Any other options?
Copying the answer from the stack overflow post that you linked,
Both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16861051-aadb2c-force-password-reset
Related
I have an existing login page. Can I integrate Azure B2C into it instead of using the login screens provided by and hosted by Azure AD B2C?
A similar question was asked 4 years ago but the answer is most likely out of date: Can I use my own UI to authenticate users with Azure AD B2C?
You could have a look at the embedded sign up / sign-in option.
"For a simpler sign-up or sign-in experience, you can avoid redirecting users to a separate sign-up or sign-in page, or generating a pop-up window. By using the inline frame HTML element, you can embed the Azure AD B2C sign-in user interface directly into your web application."
If you are really determined to use the form of your own which has nothing to do with AAD B2C then the only solution you're left with is a Resource Owner Password Credentials grant where you explicitely send username/email and password over to AAD B2C and get a token in return.
Here's docs ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
Be aware though that this flow is not suitable for modern applications for security reasons and in principle should rather be used only for legacy solutions.
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
I have a system where users are created in backoffice by admins(user with special role). Password reseting for users is also Admin's responsibility. This functionality is implemented using Graph API.
Users log in to their accounts using usernames(local account Id).
For this purposes I use B2C tenant with "sign-in" policy . The problem is that there is a password reset link => "Can’t access your account". By clicking on this link, users get Microsoft's out-of-the-box password reset process. I would like to delete this link to disable some extra actions, but I found no way for this.
1. Is it possible to delete "Can’t access your account" link in B2C sign-in policy?
B2C sign-in policy is not fully customizable. Microsoft site says that for the purposes of fully customize I need to use "sign-up or sign-in policy". But looks like I can not use local account id in "sign-up or sign-in policy".
2. Is it possible to use fully customizable UI without providing sign-up functionality to users? I mean is it possible to use sign-up or sign-in policy as a sign-in policy only with usernames(not emails)?
You can use a local account in sign-in-or-sign-up policy.
The fully customizable experience is within the sign-in or sign-up policy.
Everything is thoroughly described in the docu here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
There is even an excellent example here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization-helper-tool
using the sign-in or sign-up policy you can not only remove the password reset link. But can also disable password reset from the policy itself.
With the basic Azure B2C I dont think you can control this, Azure B2C are just rolling out the ability to create custom sign in journeys which will allow you to change everything, call extra rest APIs , implement alternative IDP's
In the last few days my UI has changed and they have just released documentation on custom journeys so that is a good place to start
As an alternative and i dont know its possible you could try using a custom UI theme on the Signin policy and then use javascript to hide the link
Microsoft Recently added the new "sign-up or sign-in" policy to Azure AD B2C.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-policies/#create-a-sign-up-or-sign-in-policy
By default when we direct a user to that page it shows the sign-in workflow.
Sometimes I may want to take a user directly to the sign-up workflow instead.
I don't want to configure two policies (i.e. upload the same banners, templates, backgrounds, redirects, special messages etc) when the content is going to be exactly the same for both.
Is it possible to pass a parameter (or some otherworldly trickery) so that it shows the "sign-up" workflow instead?
Currently there isn't a query parameter or policy setting that will take the user straight to the local account sign-up pages in a SignUporSignIn policy. Today you would need a separate sign-up policy to direct them directly to sign up.
You can use hello.js for Azure B2C with some customization in initialization, which is build for external authentication of google facebook etc. You can also look into the sample from microsoft which works !! Azure B2C