Azure AD B2C - Administrator changes the password, user not able to login to application

Sakthi 121 Reputation points
2023-05-05T08:00:23.3733333+00:00

We are using custom policies to login to our application. Now, we have a scenario where the admin reset passwords for the users using the Azure ADB2C blade.

But, the user is not able to login to the application when trying to use the temporary password and they get "The password has expired" error message.

I have seen this answer already - https://learn.microsoft.com/en-us/answers/questions/149679/how-to-have-administrator-reset-password-for-adb2c

But it was mentioned in 2020, so would like to know below details related to same:

  1. I understand that forceChangePasswordNextSignIn will be set to true, when admin resets the password. Can we read this forceChangePasswordNextSignIn attribute using custom policy within the userJourney?
  2. We get an exception in the login-NonInteractive validation technical profile, is there anyway to track and handle the exception within the custom policy.

We get an exception as shown below:

     "Exception": {
        "Kind": "Handled",
        "HResult": "80131500",
        "Message": "The password has expired.",
        "Data": {
          "IsPolicySpecificError": false
        }

If we can read this exception in custom policy userjourney step, based on the message, we can re-direct the user to change password flow.

Can you please suggest/guide on this. Thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,628 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-06-02T04:20:54.9666667+00:00

    Hello @Sakthi , thanks for your questions. Follows my answers for them:

    1. I understand that forceChangePasswordNextSignIn will be set to true, when admin resets the password. Can we read this forceChangePasswordNextSignIn attribute using custom policy within the userJourney?
      Yes it can, just add an OutputClaim element in the proper technical profile. Ie. AAD-UserReadUsingAlternativeSecurityId for social logins.
    2. We get an exception in the login-NonInteractive validation technical profile, is there anyway to track and handle the exception within the custom policy?
      Yes, just intercept the AJAX request and inspect the response JSON paylod. Look for errorCode AADB2C90263 and status 400 and act accordingly. Follows a basic sample:
    $(document).on("ajaxSuccess", function (event, xhr, settings, data) {
      const { status, errorCode } = data;
      if (status === "400" && errorCode === "AADB2C90263") {
        // TODO: do something
      }
    });
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    0 comments No comments