Share via

Azure B2c Password reset policy bypassing MFA if enabled

Anonymous
2023-12-20T17:58:41.4833333+00:00

Hi,

I have implemented password reset policy. However, after the password reset flow is completed, it auto log-ins the user. If the user has MFA enabled, it skips the MFA. Is this default behavior? I want the policy to not bypass MFA after the password reset is complete and before it login the user. Is it possible?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal Lee Morgan 380 Reputation points
    2023-12-20T18:13:44.5466667+00:00

    Hello @Anonymous ,

    It seems that you have implemented a password reset policy in Azure B2C, but after the password reset flow is completed, it auto logs in the user. If the user has MFA enabled, it skips the MFA <sup>12</sup>. You want the policy to not bypass MFA after the password reset is complete and before it logs in the user <sup>2</sup>.

    The default behavior of the password reset flow using SignUp-SignIn policies is that it will enter the email and password and confirm the new password <sup>2</sup>. If you have MFA enabled, this is the default behavior and a known issue <sup>2</sup>. However, you can try disabling the MFA enforcement on the Password reset user flow in your Azure AD B2C directory <sup>3</sup>.

    If you want to enforce MFA after the password reset is complete, you can try adding a new step to the user flow that requires MFA authentication before logging in the user <sup>2</sup>. You can also try configuring the self-service password reset experience for the Sign in (Recommended) or Sign up and sign in (Recommended) user flows <sup>1</sup>. When the user selects the Forgot your password? link, they are immediately sent to the Forgot Password experience. Your application no longer needs to handle the AADB2C90118 error code, and you don’t need a separate policy for password reset <sup>1</sup>.

    I recommend checking out this Microsoft Learn article for more information on setting up a password reset flow in Azure Active Directory B2C <sup>1</sup>. It provides a detailed flow chart that goes through all the possible scenarios when the logic app is giving TLS error and provides solutions for each scenario.

    I hope this helps you resolve your issue!

    0 comments
  2. James Hamil 27,226 Reputation points Microsoft Employee Moderator
    2024-03-15T19:24:46.9933333+00:00

    Hi @Adnan Ashfaq , by default, Azure AD does not require MFA after a user resets their password. However, you can configure Azure AD to require MFA after a password reset by creating a Conditional Access policy.

    Here are the steps to create a Conditional Access policy to require MFA after a password reset:

    1. Sign in to the Azure portal as a Global administrator.
    2. Navigate to Azure Active Directory > Security > Conditional Access.
    3. Click on the "+ New policy" button.
    4. Give the policy a name and description.
    5. Under "Assignments", select the users or groups that the policy will apply to.
    6. Under "Cloud apps or actions", select "All cloud apps".
    7. Under "Conditions", click on the "+ Add" button and select "Client apps".
    8. Under "Client apps", select "Browser".
    9. Under "Access controls", click on the "+ Grant" button and select "Grant access".
    10. Under "Grant access", select "Require multi-factor authentication".
    11. Click on the "Select" button and then click on the "Done" button.
    12. Click on the "Create" button to create the policy.

    With this policy in place, users will be required to complete MFA after resetting their password, before they can log in.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.