Creating a user in a Microsoft Entra ID B2C tenant results in the user getting a 'Password Expired" on first login attempt

Christian Borkenfelt 0 Reputation points


After the Microsoft Azure AD B2C service got upgraded to become Microsoft Entra ID, we cannot create new users successfully anymore.

When creating a user in the 'Users' -> 'Create new external user' -> Filling in user configurations: 'Sign-in method': Email, Display name, and the auto generated password the user gets added to the tenant. However, trying to log in, the user is shown "Password expired" immediately.

I have tried resetting the password in the azure portal, but get the same error.

I have tried creating the user through the 'legacy users list experience' which works correctly.

If I reset the password for a user successfully created through the 'legacy users list experience' and successfully logged in afterwards, the user will then immediately after be presented with the 'Password expired' error after the password reset. This was also a bug before the Microsoft Azure AD B2C service got upgraded to become Microsoft Entra ID.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Babafemi Bulugbe 2,190 Reputation points MVP

    Hello Christian Borkenfelt,

    Thank you for posting your question in the Microsoft Q&A Community,I understand that you are encountering some issues as regards the external accounts you created via your B2C tenant.

    To start with, please note that External accounts are still consumer accounts which indicates that they have limited access within the tenant as they are expected to be created via a Self-service user journey. Although they can also be created via the portal but will only have access to applications within the tenant.

    User's image

    Going back to your concern, I have noticed the scenario you explained and this will be reported to the concerned Team. However, I will explain the scenario to gain access below:

    Once you create an external user account, it is created as a member by default and assigned a new UPN which is different from the Email you created the account with. This UPN is more of a member account as it is assigned the default domain in the tenant.

    User's image

    If you want to reset the password, the user needs to authenticate with the UPN and not the email address. After resetting the password, the user can not authenticate to the applications within your B2C tenant with original email address

    User's image

    User's image

    Note: This user won't still have access to your tenant with the Email address but with the UPN account.

    Let me know if further assistance is needed.