This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 23%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
We noticed a change where the return URL query string parameter is no longer working on the self-service password reset page. This seems to of started in the last week. Previously you could specify the return URL using the query parameter ru. As soon as you complete your password reset, it would return you back to the return URL. The behavior also seems to of changed when resetting your password from the AAD Login screen, it displays a link to return, but it is no longer automatic. It appears to be using the same query string parameter, but it only displays the option when coming from the AAD login screen.
Is there something new we need to include to have the same behavior or be able to present the return URL to the user?
Example
https://passwordreset.microsoftonline.com/Default.aspx?ru=https%3A%2F%2Fgoogle.com
Thanks
Michael
I would consider the use of the ru=... parameter to be a security risk. People can be redirected to a phishing website. According to this page https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-customization there is no configuration of the return URL possible (anymore)
I do agree it probably isn't the best security design however it was something that was working last week and had worked for years. It was useful in some scenarios.