Password Expiration Policy for Azure AD B2C

DiStRuCtOr 20 Reputation points
2023-03-22T10:04:53.2566667+00:00

Hi, I was implementing the password expiration logic for Azure AD B2C custom policies flows.

I read the official documentation and followed the steps to define the password expiration threshold and introduced the logics in the custom policies:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-custom-policy#force-a-password-reset-after-90-days

But the problem is that the "DisableStrongPassword" attribute is always replaced when a user reset its password or in subsequents flows.

That attribute is also mandatory and required to be "true" so that the policies that try to force its value are rejected when uploaded.

Am I missing something? how is it possible that an official documentation solution ha such a misbehaviour?

Thanks.
Fil

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,141 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,871 Reputation points Microsoft Employee
    2023-03-27T14:26:02.8633333+00:00

    @DiStRuCtOr

    Thank you for posting your query on Microsoft Q&A, As per password reset after 90 days

    After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration

    User's image

    However on testing I realized that its not just DisablePasswordExpiration but also DisableStrongPassword which is applied back after running single password reset.

    PFB results from my testing:

    User's image

    Output of query Output of query https://graph.microsoft.com/v1.0/users/9b53b3b6-f269-46cb-90c6-xxxxxxxxx?$select=passwordProfile,passwordPolicies

    User's image

    User's image

    We need to have the documentation updated to:

    After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration and DisableStrongPassword

    Let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes/No), and share your feedback if the suggestion elaborate the behavior. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.