Azure AD B2C - Forgot password without change email option

Gianfranco Coppola (MSC Sorrento) 40 Reputation points

We are using Azure AD B2C as Identity and Management service for our application.

Within Azure AD B2C, we have set up a sign-in user flow to configure the login of the application users according to specific appropriately customized criteria.

This sign-in user flow was configured by enabling self-service password reset, to allow application users to change their password independently.

By doing this, the forgot password function works correctly. However, in this regard, I would like to understand whether it is possible to modify the behavior of the functionality in such a way as to avoid offering users the possibility of modifying their email, given that it is something that would be intercepted only by Azure AD B2C, and not also by actual application logic that uses Azure AD B2C as IAM service.

User's image

Is this something that can be set somehow?

Thank your for your feedbacks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,543 questions
0 comments No comments
{count} votes

Accepted answer
  1. Carlos Solís Salazar 14,866 Reputation points

    In Azure AD B2C, the self-service password reset (SSPR) process is a critical feature for user account management, allowing users to independently reset their passwords. However, by default, this process might also allow users to change their email addresses, which can be a concern if you want to maintain consistent email addresses for your users and ensure that changes are tracked or managed centrally.

    To address this, you have a couple of options:

    1. Custom Policies (Identity Experience Framework): Azure AD B2C's custom policies offer a more flexible and powerful way to customize the user journey, including the password reset experience. You can create a custom policy that defines the password reset process and explicitly excludes the option for users to change their email addresses during this process. This approach requires familiarity with the Identity Experience Framework and involves editing the policy XML files to define the desired user flows.
    2. User Attributes Configuration: In the Azure AD B2C directory, you can configure user attributes and decide which attributes users are allowed to edit. If you do not want users to change their email addresses, you can set the email attribute as non-editable. This approach may have limitations if you're using built-in user flows, as it may not fully restrict email changes during the password reset process.
    3. Application Logic: Another approach is to handle this restriction at the application level. Your application can enforce business logic to ensure that the user's email address remains consistent with your records, even if Azure AD B2C allows an email change during the SSPR process.

    It's important to note that while Azure AD B2C provides flexibility in managing user authentication and attributes, some customizations might require advanced configurations or custom development. For detailed guidance on implementing these solutions, you can refer to the Azure AD B2C documentation on Custom Policies and User Attributes.

    Accept the answer if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful