Azure AD B2C guessable password policy not applied to Password Reset user flow

Umar Ali 0 Reputation points

I have an ASP.NET Core web app that uses Azure AD B2C for user authentication.

I'm noticing some strange behaviour with users setting their passwords using the forgotten password feature and the change password feature.

When users go through the in-built forgotten password process (sign in user flow/policy), they are not allowed to enter passwords with guessable words (e.g. Password1)

User's image

However when they are logged in and want to change their password, the guessable passwords rule is not applied (this feature was enabled by creating a Password Reset user flow in B2C).

Why is this behaviour not consistent across both processes?

Why does the Password Reset user flow not do the guessable password check?

A set of technologies in the .NET Framework for building web applications and XML web services.
3,541 questions
Azure Active Directory External Identities
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 9,846 Reputation points Microsoft Employee

    @Umar Ali

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that you are looking for custom banned password in password reset user flow.

    However we don't have these options in user flow. Since Authentication methods > Password protection banned password is not enabled without an Azure AD Subscription.

    Rather you could achieve this with custom policies.

    Kindly follow A B2C IEF Custom Policy - Sign up and Password reset with banned password list for XML.


    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments No comments