Share via

Azure B2C Custom Policy Reset Password Function fails with AADB2C90118: The user has forgotten their password

Johnson, Mark IT 5 Reputation points
2023-09-15T18:53:27.3333333+00:00

I'm implementing B2C using Custom Policies and following a "Seamless Migration" strategy. SignIn/Signup policies are working as designed, but the Forget Password Process fails with "AADB2C90118: The user has forgotten their password".

My understanding is that the current version of the software is that this flow is defined within the Signin/Signup policies, and should not need any additonal policy. When I try to upload the PasswordReset defined in the above link, policy it complains about a missing persisted claim for UPN.

Seems like I'm missing something else.

url seems ok: /api/CombinedSigninAndSignup/forgotPassword

UserJourney here:

<UserJourney Id="PasswordReset">
			<OrchestrationSteps>
				<OrchestrationStep Order="1" Type="ClaimsExchange">
					<ClaimsExchanges>
						<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="2" Type="ClaimsExchange">
					<ClaimsExchanges>
						<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="3" Type="ClaimsExchange">
					<ClaimsExchanges>
						<ClaimsExchange Id="REST-EnrichToken" TechnicalProfileReferenceId="REST-EnrichToken"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
			</OrchestrationSteps>
			<ClientDefinition ReferenceId="DefaultWeb"/>
		</UserJourney>

the other thing i found interesting is that the User Flow i first configured comes up with this url instead:

api/CombinedSigninAndSignup/unified?claimsexchange=ForgotPassword

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daniel Krzyczkowski 461 Reputation points MVP
    2023-09-16T05:41:35.87+00:00

    Hi @Johnson, Mark IT

    The error you receive is the standard error returned by the Azure AD B2C when user clicks "forgot password" link.
    This is the legacy approach as you can read here:

    If the self-service password reset experience isn't enabled, selecting this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application must handle this error code by reinitializing the authentication library to authenticate an Azure AD B2C password reset user flow.

    The recommended way to handle password reset is to use Self-service password reset, you can read more here:

    The new password reset experience is now part of the sign-up or sign-in policy. When the user selects the Forgot your password? link, they are immediately sent to the Forgot Password experience. Your application no longer needs to handle the AADB2C90118 error code, and you don't need a separate policy for password reset.

    You can use above approach to handle password reset directly from the current set of policies without the need of having additional password reset policy.

    Please let me know if you have any questions and if this helped.