B2C: Securing internal step of a custom policy

ZS 21 Reputation points

I'm new to B2C so excuse me if my question is about something obvious. There is a custom policy that is used for set password after registration. The policy is working fine and updates the password. If the same link is used again in the browser the policy correctly shows an error that the activation link has expired. The problem is that if someone captures the HTTP requests and particularly the POST request that changes the password and sends it again in a tool with a new value for the password field it actually updates the password in B2C. Could you please recommend how to secure this POST step?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,628 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points

    Hello @ZS

    All B2C calls are by default over HTTPS, which includes the POST call to set or change the password in the B2C directory as well. To modify the body of the POST call, the call needs to be decrypted first.

    If you are storing the password in an external database or external system via REST API Technical Profile, you need to make sure that the service URL in that Technical Profile is also configured to use HTTPS and not HTTP.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful