Azure AD B2C Custom Policy with force password reset after 90 days

Denis Dal Molin 51 Reputation points
2022-11-17T20:17:20.447+00:00

I am trying to integrate this policy: https://github.com/azure-ad-b2c/samples/blob/master/policies/force-password-reset-after-90-days/

261507-scr4r.png

I created the required custom user attribute from portal (passwordResetOn).
Next, I edited the framework extensions file and the file for relying party signup and signin.
When I try to register a new user I receive the following error: error "An invalid value was presented for a property":

261603-jxrf4c6qs3.png

I don't understand where the error is. I expect that when a new user will register it set the date and after 90 days it0 will ask for a change.
This because I have to set a password expiration for b2c accounts longer than 90 days.

Can anyone help me? I have attached my source files.

Thanks,

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,753 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Denis Dal Molin 51 Reputation points
    2022-11-21T17:14:40.663+00:00

    This is the actual files, that works in another tenant.

    262716-b2c-1a-saml2-signup-in-phonemfa-sspr-pwdresetndays.xml

    Trust Framework extension file:

      <BasePolicy>  
        <TenantId>b2c.onmicrosoft.com</TenantId>  
        <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>  
      </BasePolicy>  
      <!--   <BuildingBlocks>  
        <ClaimsSchema>  
        </ClaimsSchema>  
      </BuildingBlocks> -->  
      <ClaimsProviders>  
        <ClaimsProvider>  
          <DisplayName>Facebook</DisplayName>  
          <TechnicalProfiles>  
            <TechnicalProfile Id="Facebook-OAUTH">  
              <Metadata>  
                <Item Key="client_id">facebook_clientid</Item>  
                <Item Key="scope">email public_profile</Item>  
                <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>  
              </Metadata>  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>  
        <ClaimsProvider>  
          <DisplayName>Token Issuer</DisplayName>  
          <TechnicalProfiles>  
            <!-- SAML Token Issuer technical profile -->  
            <TechnicalProfile Id="Saml2AssertionIssuer">  
              <DisplayName>Token Issuer</DisplayName>  
              <Protocol Name="SAML2" />  
              <OutputTokenFormat>SAML2</OutputTokenFormat>  
              <CryptographicKeys>  
                <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAML" />  
                <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAML" />  
              </CryptographicKeys>  
              <InputClaims />  
              <OutputClaims />  
              <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />  
            </TechnicalProfile>  
            <!-- Session management technical profile for SAML-based tokens -->  
            <TechnicalProfile Id="SM-Saml-issuer">  
              <DisplayName>Session Management Provider</DisplayName>  
              <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>  
        <ClaimsProvider>  
          <DisplayName>Local Account SignIn</DisplayName>  
          <TechnicalProfiles>  
            <TechnicalProfile Id="login-NonInteractive">  
              <Metadata>  
                <!-- ProxyIdentityExperienceFrameworkAppId -->  
                <Item Key="client_id">1257aca9-6111-abcs-adca-d740612012fa</Item>  
                <!-- IdentityExperienceFrameworkAppId -->  
                <Item Key="IdTokenAudience">10f6e761-c111-dadd-acv0-affb3875cdaf</Item>  
              </Metadata>  
              <InputClaims>  
                <!-- ProxyIdentityExperienceFrameworkAppId -->  
                <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="1257aca9-6111-abcs-adca-d740612012fa" />  
                <!-- IdentityExperienceFrameworkAppId -->  
                <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="10f6e761-c111-dadd-acv0-affb3875cdaf" />  
              </InputClaims>  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>  
        <ClaimsProvider>  
          <DisplayName>Local Account</DisplayName>  
          <TechnicalProfiles>  
            <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">  
              <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>  
        <ClaimsProvider>  
          <DisplayName>Azure Active Directory</DisplayName>  
          <TechnicalProfiles>  
            <TechnicalProfile Id="AAD-Common">  
              <Metadata>  
                <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->  
                <Item Key="ClientId">83axdc56-1aaa-4bbb-a666-4589cbb7a212</Item>  
                <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->  
                <Item Key="ApplicationObjectId">8d93c18a-d111-4fff-8aaa-43ebedadd5b1</Item>  
              </Metadata>  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>  
      </ClaimsProviders>  
      <!--UserJourneys>  
      </UserJourneys-->  
    

  2. Denis Dal Molin 51 Reputation points
    2022-11-25T14:57:48.42+00:00

    this is the tracking log made with Fidler

    264255-65ltqeul3u.png

    264256-jlbypcy6ev.png

    0 comments No comments