Unable to update user password in Azure AD B2C while using seamless migration policy

CHAUDHARI, SAMEER 0 Reputation points
2023-05-24T08:17:07.64+00:00

I am performing User Migration from Legacy IDP to Azure B2C .I have already migrated all users to Azure AD B2C with dummy password.. Now I am running seamless migration policy which invokes REST API which checks the credentials with Legacy IDP and its returning success. After tokenSuccess is returned then Policy is unable to update the new password .

I am also unable to update the password of user with API like :
https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-1.0&tabs=http

Please let me know how can I update the password of user either through API or through policy without asking user to reset its password.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,525 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2023-05-29T06:28:34.5666667+00:00

    Hello CHAUDHARI, SAMEER,

    Thanks for reaching out!

    When performing user migration from a legacy IDP to Azure AD B2C, you may encounter challenges when updating the passwords of users. Here are a few suggestions on how to update the password either through an API or through a policy without requiring the user to reset their password:

    1. Update password through the Microsoft Graph API: The endpoint you mentioned (authenticationmethod-resetpassword) is not applicable for Azure AD B2C. Instead, you can use the Azure AD Graph API's setPassword endpoint to update the user's password. Here's an example request:
    PATCH /beta/users/{user_id}
    Content-Type: application/json
    
    {
      "passwordProfile": {
        "password": "<new_password>",
        "forceChangePasswordNextSignIn": false
      }
    }
    
    

    Replace {user_id} with the appropriate user identifier and <new_password> with the desired password. Make sure to authenticate the API call with appropriate credentials and permissions.

    1. Update password through custom policy in Azure AD B2C: In your custom policy, you can include a step to update the user's password after the successful token validation from the legacy IDP. You can use the AAD-UserWritePasswordUsingObjectId technical profile to achieve this. Here's an example:
    <OrchestrationStep Order="5" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
          <Value>tokenSuccess</Value>
          <Value>true</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="UpdatePassword" TechnicalProfileReferenceId="AAD-UserWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    
    

    This step should be added after the token validation step and before the final redirect or token issuance step in your user journey.

    1. Remember to customize the technical profile AAD-UserWritePasswordUsingObjectId to suit your specific requirements, such as specifying the desired password value and any additional constraints.

    By utilizing either the Microsoft Graph API or a custom policy, you can update the user's password without requiring them to reset it manually. Choose the approach that best aligns with your implementation and make sure to handle any error scenarios appropriately.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.