I have reset the user's password using Azure AD Graph API
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
When I tried to login with user's old password, AD B2C still allows the user to login. I have to restrict the access to the user's old password. Please assist.
There is a replication delay that should be on the order of seconds to a minute or two. The way that Azure AD works is that there is a Primary that handles writes (change password) and several secondary instances that handle reads (login) and it is expected to see a short delay in replicating the new password to all of the secondary instances. See https://blogs.technet.microsoft.com/enterprisemobility/2014/09/02/azure-ad-under-the-hood-of-our-geo-redundant-highly-available-distributed-cloud-directory/
Is this problem temporary or is it persistent? Meaning after a minute can the user no longer login with the old password? Also, is the user able to login with the new password?
Related
My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
I have created a built in sign in user flow for users to sign in.
I am creating users thru power shell script where i have used ForceChangePasswordNextLogin to true. I was expecting users will be shown password change page when they login for the first time, but i always get "Password Expired" error.
Could anyone provide some inputs on this ?
While creating local accounts in B2C via Graph API/powershell, the forceChangePasswordNextSignIn property must be set to false. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api#password-profile-property. This generates a temporary password, which is marked as expired and requires the user to provide a new password. Since, in Azure AD B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password or set forceChangePasswordNextSignIn = true for consumer accounts.
As of now, the only possible way to require users to reset their passwords at first logon is by using custom policy: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon.
How can i prevent a user logging into azure active directory multiple times with the same account ? This should be pretty straightforward but i cant find any information anywhere. Id ideally like to be able to show a page in the browser informing the user that they aren't allowed to login multiple times with the same account
As I know, you could not restrict the user login azure active directory multiple times with the same account. You could limit the login hour for the user, or you could enable Multi-Factor Authentication(MFA) enhance the login security level and reduce login risk. For example, once enabling MFA, you could require the login user to confirm by using a phone call or text code after entering the user password.
I am moving from an Asp.Net identity management to Azure AD B2C. I added the existing user through Graph API and gave the user some random password as of now in stage. Is it possible to use the old password of the user (I cannot get the existing password from my database). I remember in one of the talks of Azure AD B2C, they get the password by back tracking the request though I am not clear about it.
What is the best strategy to move to Azure AD B2C with minimum password friction?
I used the approach described here (Just-In-Time migration source code)
pre-migrate users with auto-generated password
create an API to check user credentials from the old user store (Microsoft Docs)
add the API call to the Technical Profile in the SignIn Policy so every time a user tries to sign in, the credentials will be checked against the old user store (Microsoft Docs)
add the API the privilege to change the password if the old credentials are verified (see my response to this post) or impersonate the user (if you safely stored the auto-generated passwords in somewhere secure place)
you user credentials were updated 'just-in-time' so your user will not notice this change on the fly
I don't think you can get the password out from ASP.NET identity management, since the password is hashed.
As a migration strategy, you could create the Azure B2C users, from your existing authentication logic backend in ASP.NET identity management, upon successful login, since users are sending their usernames and passwords for authentication. Once all the users are moved, you can shift to Azure B2C login.
I created Active Directory in Azure. I created new user (as global admin) with *#*.onmicrosoft.com login. User gets assigned temporary password, that has to be changed on first login.
User is created so that I can use it with Azure AD Connect, to connect on-premise domain with Azure. Until password is reset, it is considered as expired.
Where can I login with that user to reset password?
Please login into Azure Portal as that user. As a part of the login process, the user will be asked to reset the password because the user is logging in for the first time.