Password Expiration Policy for Azure AD B2C

Question

Hi, I was implementing the password expiration logic for Azure AD B2C custom policies flows.

I read the official documentation and followed the steps to define the password expiration threshold and introduced the logics in the custom policies:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-custom-policy#force-a-password-reset-after-90-days

But the problem is that the "DisableStrongPassword" attribute is always replaced when a user reset its password or in subsequents flows.

That attribute is also mandatory and required to be "true" so that the policies that try to force its value are rejected when uploaded.

Am I missing something? how is it possible that an official documentation solution ha such a misbehaviour?

Thanks.
Fil

Answer 1

@DiStRuCtOr

Thank you for posting your query on Microsoft Q&A, As per password reset after 90 days

After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration

However on testing I realized that its not just DisablePasswordExpiration but also DisableStrongPassword which is applied back after running single password reset.

PFB results from my testing:

Output of query Output of query https://graph.microsoft.com/v1.0/users/9b53b3b6-f269-46cb-90c6-xxxxxxxxx?$select=passwordProfile,passwordPolicies

We need to have the documentation updated to:

After the user resets their password, the passwordPolicies will be changed back to DisablePasswordExpiration and DisableStrongPassword

Let me know if you have any further queries.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion elaborate the behavior. This will help us and others in the community as well.