Password Expiration Policy for Azure AD B2C

Question

Password Expiration Policy for Azure AD B2C

DiStRuCtOr 20

Hi, I was implementing the password expiration logic for Azure AD B2C custom policies flows.

I read the official documentation and followed the steps to define the password expiration threshold and introduced the logics in the custom policies:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-custom-policy#force-a-password-reset-after-90-days

But the problem is that the "DisableStrongPassword" attribute is always replaced when a user reset its password or in subsequents flows.

That attribute is also mandatory and required to be "true" so that the policies that try to force its value are rejected when uploaded.

Am I missing something? how is it possible that an official documentation solution ha such a misbehaviour?

Thanks.
Fil

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Akshay-MSFT 18,026 Microsoft Employee Moderator

@DiStRuCtOr

Thank you for posting your query on Microsoft Q&A, As per password reset after 90 days

After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration

User's image

However on testing I realized that its not just DisablePasswordExpiration but also DisableStrongPassword which is applied back after running single password reset.

PFB results from my testing:

User's image

Output of query Output of query https://graph.microsoft.com/v1.0/users/9b53b3b6-f269-46cb-90c6-xxxxxxxxx?$select=passwordProfile,passwordPolicies

User's image

We need to have the documentation updated to:

After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration and DisableStrongPassword

Let me know if you have any further queries.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion elaborate the behavior. This will help us and others in the community as well.

DiStRuCtOr 20 Reputation points

2023-03-28T16:07:25.08+00:00

hi @Akshay-MSFT , thanks for your reply.
So, in the end, there is no managed way to handle this scenario. It only works once.

I believe the best way is to rely on some extension attribute and REST-Api to check for last password change and force the user to reset.

BR

Fil
Akshay-MSFT 18,026 Reputation points Microsoft Employee Moderator

2023-03-29T04:53:09.8333333+00:00

@DiStRuCtOr

Yes, for Azure AD B2C local accounts there is no password expiration policy sticking to the users..

The password expiry duration default value is 90 days. The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure.

I would recommend to share your idea on our Feedback portal as here it would be monitored by our product group.

Also If you feel my answer above did help you in shedding light on the behavior, kindly "Accept the answer" and share your feedback. This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Miftaul Mannan 0 Reputation points

2023-10-22T10:55:49.8833333+00:00

@Akshay-MSFT does Set-MsolPasswordPolicy work for Azure AD B2C local accounts? I set the ValidityPeriod to 1 for testing and it did not expire my password.

Share via

Password Expiration Policy for Azure AD B2C

0 additional answers

Your answer