This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 39%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOK%3C/text%3E%3C/svg%3E)
Our SPA app and Web API were working well with the standard SignUpSignIn user flow. When we switched to using a custom policy while keeping the same App Registrations, Sign In always displays “Invalid username or password” [1]. (Sign Up and Sign Out work).
To remedy the issue, we created new App Registrations as per https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy
Strangely, there is a configuration that works: Following the tutorial exactly (Allow public client flows + Accounts in this org directory only + Public client/native platform) but leaving the front-end SPA app pointing to the old app registrations. Obviously we can’t leave it like that.
How do we properly solve the “Invalid username or password” issue with an SPA app using a custom policy?
[1] The corresponding sign-in log says error 7000218.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Odi Kosmatos ,
Thanks for reaching out and apologies for delay in response.
The reason for error 'Invalid username or password' will :
2.Also, if ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId are not added to the login-NonInteractive technical profile correctly and their value got interchange by mistake.
Even after trying above, you are facing the issue. You can use setup tool https://aka.ms/iefsetup. to automate the process. You need to delete the proxyief and ief application first you created manually.
Also, for B2C applications, you need to select 'Accounts in any identity provider or organizational directory (for authenticating users with user flows) only.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
Hi, thank you for your help. I verified the permissions of ProxyIdentityExperienceFramework, they seem OK. The login-NonInteractive entries are OK. I used the IEFSETUP tool you linked to, and also tried starting over with a new B2C Tenant. The tool reported creating everything succesfully. I switched the app registrations it generated to use 'Accounts in any identity provider', and my custom policy's TrustFrameworkExtensions.xml points to the App registrations generated by the tool. I am still getting the Invalid Username/Password error at the Azure B2C sign-in page.
I did notice that the tool generates references to https://login.microsoftonline.com/<TENANT-NAME>.onmicrosoft.com which seems deprecated for new B2C tenants, and tried using https://<TENANT-NAME>.b2clogin.com/<TENANT-NAME>.onmicrosoft.com, but it didn't help.
Any other ideas?
Hi Odi Kosmatos,
I just tried to setup my new Azure AD B2C tenant with IEFSETUP tool and seems it is working perfectly.
You don't require to switch any applications and upload any xml in your B2C tenant. This tool will
automatically copy and uploaded all the information for you. You just need to provide consent to your application and then can run the policy directly.
I verified the endpoint as well generated correctly for me.
We can connect offline if you have further queries on this.
Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:shweta" to help you further in this.
Thanks,
Shweta
It turns out I did need to have more App Registrations. Two for the IEF and Proxy IEF, and two for our SPA application and it's Web Api back-end. All the issues disappeared with that setup. This configuration was confirmed to be valid by Shweta (offline).