This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 80%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi,
I have a signup-signin policy that first ask the username, it checks if the user exists using a technical profile that reads the user as explained in https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile
I would like, in that step, to check if the user password is expired/must be changed but it seems not possible using AzureActiveDirectoryProvider. Can you help on reaching my goal?
What I've done so far:
Reading this article https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset I managed to set the flag in the password profile and I can read it with OpenIdConnect protocol like in the sample policy https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset
What I'm not able to do is read this flag BEFORE entering the password. If I try to read it inside AAD-UserReadUsingEmailAddress I receive the error "Output Claim 'passwordProfile.forceChangePasswordNextSignIn' is not supported in Azure Active Directory Provider technical profile 'AAD-UserReadUsingEmailAddress'"
I tried with passwordProfile.forceChangePasswordNextSignIn, forceChangePasswordNextSignIn, passwordProfile.forceChangePasswordNextLogin, forceChangePasswordNextLogin and also passwordExpired as returned by OpenIdConnect, but without success.
The documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes#password-profile-property is not clear if the attribute is only fro writing and not for reading.
Hello @Stefano Sapienti , as you’ve already discovered, Azure AD B2C does not support the user passwordProfile attribute. To read it, you could create a custom REST API or function that calls the Microsoft Graph. You can then consume this from your custom policies using a REST Technical Profile.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Thanks for the answer. I would like just to ask if you suggest to replace the AzureActiveDirectoryProvider with a REST technical profile (in this way we take advantage of the already existing claim) or to use an extension attribute like here https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon
Hello @Stefano Sapienti , my recomendation is to keep AzureActiveDirectoryProvider and complement it using REST calls to Microsoft Graph in order to follow the Don't reinvent the wheel and Single responsibility principles. Using extensions attributes can help if you plan to programmaticaly or manually invalite/expire user passwords but remember it requires mantaining an extra field. On the other hand calling Graph requires an extra API. You choose which ones suits your solution architecture better.