25,129 questions
Azure AD B2C Custom policy for forgot password and TOTP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 35%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
m b
30
Reputation points
I have the following code for the signing user journey.
<UserJourneys>
<UserJourney Id="CustomSignUpSignIn">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="InvokeSubJourney">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>isForgotPassword</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<JourneyList>
<Candidate SubJourneyReferenceId="PasswordReset" />
</JourneyList>
</OrchestrationStep>
<!-- Call the TOTP enrollment sub journey. If user already enrolled the sub journey will not ask the user to enroll -->
<OrchestrationStep Order="4" Type="InvokeSubJourney">
<JourneyList>
<Candidate SubJourneyReferenceId="TotpFactor-Input" />
</JourneyList>
</OrchestrationStep>
<!-- Call the TOTP validation sub journey-->
<OrchestrationStep Order="5" Type="InvokeSubJourney">
<JourneyList>
<Candidate SubJourneyReferenceId="TotpFactor-Verify" />
</JourneyList>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when in the token. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
I want to enable MFA TOTP authentication after the user inputs the email and password, but also want to set up the forgot password flow. After inputting the email and password, it is redirecting me to the reset password page instead of showing me the MFA QR code page, somehow the flows seem mixed up. Is there any issue in the order set up in this user journey?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2023-07-06T08:40:00.92+00:00 @m b Thank you for reaching out to us, let me review the above user journey details and your requirement and will revert back.
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2023-07-07T08:49:48.15+00:00 @m b Thank you for reaching out to us, As I understand that you are attempting to configure MFA authentication using a custom policy.
It seems like you want to implement MFA after local authentication and also have the option to trigger the forgot password process if necessary, discussed this scenario within my team as well, below is the approach i would suggest.
Currently, based on your user journey, you are invoking the ForgotPasswordExchange technical profile right after local account sign up. This results in the forgot password process being triggered after every sign-in, which is not the desired behavior. To address this, you should remove the "order 2" step from your user journey and invoke the appropriate sub journey based on specific conditions.
In this case, the forgot password process should be integrated into the signup/signin flow and called a sub journey.You can refer this https://github.com/azure-ad-b2c/samples/blob/master/policies/embedded-password-reset/policy/TrustFrameworkExtensions_SSPR.xml
Let me know if you have any further questions, feel free to post back.
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2023-07-12T04:19:59.5933333+00:00 @m b Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Sign in to comment
Sign in to answer