AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step '2'.

Piyumi Nadeeshani 10

Hi,

I am creating users using Microsoft Graph API as follows

var userToAddToAAD = new User
                {
                    AccountEnabled = true,
                    DisplayName = $"{firstName} {lastName}",
                    MailNickname = $"{firstName}{lastName[0]}",
                    PasswordProfile = new PasswordProfile
                    {
                        ForceChangePasswordNextSignIn = true,
                        Password = password
                    },
                    Identities = new List<ObjectIdentity>
                    {
                        new ObjectIdentity
                        {
                            SignInType = "emailAddress",
                            Issuer= _issuer,
                            IssuerAssignedId= emailAddress,
                        }
                    }
                };

                var scopes = new[] { "https://graph.microsoft.com/.default" };
                var clientSecretCredential = new ClientSecretCredential(_tenantId, _testboltDevClientApiClientId, _testboltDevClientApiClientSecret);
                var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
                var newUser = await graphClient.Users.PostAsync(userToAddToAAD);

After new user sign in, i have to enable reset password flow. To do that I have created a custom polices as follows.

B2C_1A_TrustFrameworkBase.xml

With this, when user sign in I was able to redirect to password reset and then user can update the password. But after that I am getting following error.

User's image

I need a solution for this. Can someone help me to solve this?

Shweta Mathur 29,531 Reputation points Microsoft Employee

2023-07-25T07:14:28.9766667+00:00

Hi @Piyumi Nadeeshani ,

Thanks for reaching out.

The error occurs due to a conflicting name for the ClaimsExchangeId in the user journey. To resolve the issue, try renaming the "LocalAccountSigninEmailExchange" in the orchestration step and ensure it is placed after the "ForgotPasswordExchange" step. By making these changes, you can avoid any clashes in the ClaimsExchangeId names and maintain the correct order of execution in the user journey.

Hope this will help.

Thanks,

Shweta

Piyumi Nadeeshani 10

@Shweta Mathur Do you mean to change it in Profile Edit Journey. I refered following documentation https://github.com/azure-ad-b2c/samples/blob/master/policies/force-password-reset/policy/SignUpOrSignin_ForcePasswordReset.xml

<UserJourney Id="CustomSignin">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin.custom">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <!-- Skip this step if change password is required. -->
              <Value>forceChangePasswordNextLogin</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
            <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- This step reads any user attributes that we may not have received when in the token. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>forceChangePasswordNextLogin</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
             <!--Force password reset upon password expiration-->
            <ClaimsExchange Id="ForcePasswordResetUponPasswordExpiration" TechnicalProfileReferenceId="SelfAsserted-ForcePasswordReset-ExpiredPassword" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="4" Type="InvokeSubJourney">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>isForgotPassword</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <JourneyList>
            <Candidate SubJourneyReferenceId="ResetPassword" />
          </JourneyList>
        </OrchestrationStep>

        <!-- This step reads any user attributes that we may not have received when in the token. -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

    <UserJourney Id="ProfileEdit">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
        <ClaimsProviderSelections>
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

Shweta Mathur 29,531 Microsoft Employee

@Piyumi Nadeeshani

No, I meant to update it here

 <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
            <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
          </ClaimsExchanges>

Piyumi Nadeeshani 10

@Shweta Mathur Do you mean to change the order as follows.

<ClaimsExchanges>
	<ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
            
          </ClaimsExchanges>

Shweta Mathur 29,531 Reputation points Microsoft Employee

2023-07-27T10:43:31.81+00:00

@Piyumi Nadeeshani

Yes, as well change the name of SignUpWithLogonEmailExchange.
Will Roscoe 0 Reputation points

2024-01-10T10:57:21.0333333+00:00

@Shweta Mathur I'm having the same issue but I'm not clear what you mean when you say "change the name of SignUpWithLogonEmailExchange". Do you mean just change it to something slightly different? i.e. MySignUpWithLogonEmailExchange

Thanks
Sonu Shaji 0 Reputation points

2024-06-25T07:38:26.5966667+00:00

Has this been resolved? I am facing a similar issue

Share via

AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step '2'.