AD B2C Reset Password - OTP Always sent

Van Eycken Steven 0 Reputation points
2023-03-22T15:02:54.2033333+00:00

I noticed some strange behavior which does not make sense to me and I'm not sure if it's part of misconfiguration on my end.

When using the Password Reset flow (using the build-in flow, both as a dedicated flow or when doing the password reset using the link on the Signin-flow), the verification code is always sent to the provided email address, regardless if the user is known in the system or not.

The provided email address is only validated after the user validated the code sent via email. Does it not make more sense to not send a verification code when the email address is not know in AD B2C? Or did I forget to configure something?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,843 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 24,311 Reputation points Microsoft Employee
    2023-03-22T20:20:12.36+00:00

    Hi @Van Eycken Steven , this is expected behavior! Do you ever get emails with OTPs that you didn't request, and they say to ignore them if you didn't request them? It's the same concept here. That way bad actors can't determine if a certain user exists in the system. Please let me know if you have any questions!

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.