Why does my Azure AD B2C forget password user flow executes verification step twice?

Jason Susanto 0

Hi All,

Does anyone know why does my Azure AD B2C forget password process within the login user flow executes the Email MFA verification step twice? The first it executes the MFA verification for the forget password flow, and the next it jumps back into the sign in MFA verification and once the user has done the MFA verification twice, it then allows the user to change and reset their password. Is there a way to fix this without using custom policy?

Thanks for the help!

James Hamil 23,216 Reputation points Microsoft Employee

2023-11-07T20:33:09.08+00:00

Hi @Jason Susanto , I posted a follow up to your latest response. Please let me know if you still need assistance.

If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

1 answer

James Hamil 23,216 Reputation points Microsoft Employee

2023-10-09T15:25:42.2966667+00:00
Hi @Jason Susanto , In general, the Azure AD B2C forget password user flow executes the Email MFA verification step to ensure that the user who is resetting the password is the same user who owns the email address associated with the account. If the user has already completed the MFA verification for the sign-in process, it should not prompt the user to do it again during the forget password process.

To troubleshoot the issue, please check the following:

Verify that the user flow is configured correctly and that the MFA verification step is only included once in the user flow.

Check if there are any conflicting policies or settings that may be causing the issue.

Ensure that the user is not using different email addresses for sign-in and forget password process.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James
Please sign in to rate this answer.
Jason Susanto 0 Reputation points

2023-10-09T22:32:41.5333333+00:00

Hi James,

Thanks for your reply. I agree with the MFA verification acting as a safe guard step to ensure that the user who is resetting the password is the same user who owns the email address associated with the account. However, in my scenario, as the user lands on the login page (Azure B2C sign in flow) of my web app, there is a link for Forgot password. And as the user clicks on this, they would then be directed to the following MFA page (first MFA page within the forgot password flow). And as they verify the code they received from their emails, and click Verify code, they are then prompted to redo the MFA verification process again via the sign in flow MFA process (The first MFA verification happens through the Forgot password page, then the second through the Sign in page, and all these happen from the same login user flow).

This is the sign in page where there is a forgot your password? link

And below is the MFA verification step that occurs twice, once from the forgot your password and the other from the sign in process:

Thanks for your help,

Jason

James Hamil 23,216 Reputation points Microsoft Employee

2023-10-11T14:34:45.72+00:00

Hi @Jason Susanto , try disabling the MFA enforcement on the Password Reset flow.

Let me know if that works!

Best,

James

Jason Susanto 0 Reputation points

2023-10-12T05:29:30.22+00:00

Hi James,

Thanks for getting back to me!

I don't think I am able to disable the MFA enforcement as I only have one flow which is of Type: Sign in and I would like to have MFA implemented as users sign into my web application. I was just wondering; do you think it could either be because I am using custom HTML pages for the page layouts? I have also disabled the JavaScript enforcing page layout option. As I am utilizing custom page content as well, I have set the page layout versions to the most updated one.

Cheers,
Jason

James Hamil 23,216 Reputation points Microsoft Employee

2023-10-20T02:07:39.98+00:00

Hi @Jason Susanto , disabling the MFA enforcement as shown will prevent it from showing twice. It should still appear once. Please try and let me know if that helps. Custom HTML shouldn't affect anything!

Jason Susanto 0 Reputation points

2023-10-24T22:12:51.0266667+00:00

Hi James,

Thanks for getting back to me again. I have tried the following operation by setting the MFA enforcement to 'off'. This fixes the forget password flow within the sign in user flow (i.e. MFA only happens once). However, once I have set the MFA enforcement to 'off', the user is no longer required to do MFA when they are signing in. Is there a way to retain the sign in MFA process but allow the forget password flow to only have one MFA process?

Cheers,

Jason

James Hamil 23,216 Reputation points Microsoft Employee

2023-11-07T20:32:17.5033333+00:00

Hi @Jason Susanto , sorry for the delayed in response. Try configuring the MFA enforcement to "Conditional" instead of "Off".

When you set the MFA enforcement to "Conditional", MFA is enforced only when an active Conditional Access policy evaluation requires it. During sign-in, if the result is an MFA challenge with no risk, MFA is enforced. If the user isn't already enrolled in MFA, they're prompted to enroll. If the result is an MFA challenge due to risk and the user is not enrolled in MFA, sign-in is blocked.

This way, the user will still be required to do MFA during sign-in if an active Conditional Access policy evaluation requires it, but the forget password flow will only have one MFA process.

If this is still giving you issues you can create a custom user journey in Azure AD B2C. You can connect the "Forgot your password?" link to the Forgot Password sub journey by adding a ClaimsProviderSelection element in the CombinedSignInAndSignUp step of your custom user journey.

Here's a summary of the steps to achieve this:

Duplicate an existing sign-up or sign-in user journey or modify your own custom user journey.

Connect the "Forgot your password?" link to the Forgot Password sub journey by adding a ClaimsProviderSelection element.

Add a ClaimsExchange element for the Forgot Password sub journey.

Add an orchestration step to invoke the password reset sub journey based on the isForgotPassword claim.

Update the DefaultUserJourney ReferenceId in the Relying Party section to match the ID of the user journey you modified.

If this still isn't working I can help you over email to expedite this. Send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID.

Best,

James
Sign in to comment

Share via

Why does my Azure AD B2C forget password user flow executes verification step twice?

1 answer