Azure AD B2C guessable password policy not applied to Password Reset user flow

Umar Ali 0 Reputation points
2023-09-07T12:12:42.61+00:00

I have an ASP.NET Core web app that uses Azure AD B2C for user authentication.

I'm noticing some strange behaviour with users setting their passwords using the forgotten password feature and the change password feature.

When users go through the in-built forgotten password process (sign in user flow/policy), they are not allowed to enter passwords with guessable words (e.g. Password1)

User's image

However when they are logged in and want to change their password, the guessable passwords rule is not applied (this feature was enabled by creating a Password Reset user flow in B2C).

Why is this behaviour not consistent across both processes?

Why does the Password Reset user flow not do the guessable password check?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,514 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,843 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,771 Reputation points Microsoft Employee
    2023-09-08T10:47:29.09+00:00

    @Umar Ali

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that you are looking for custom banned password in password reset user flow.

    However we don't have these options in user flow. Since Authentication methods > Password protection banned password is not enabled without an Azure AD Subscription.

    Rather you could achieve this with custom policies.

    Kindly follow A B2C IEF Custom Policy - Sign up and Password reset with banned password list for XML.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.