Azure AD B2C Password Reset

víctor arranz 0 Reputation points
2024-06-03T10:55:48.7066667+00:00

Hi, I want to create a custom policy where the first step would be a force password reset step. I want to ask if it is possible to skip the send email previous step, so that the user starts by just seeing the reset password screen. Is it possible? If so, how?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,131 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. WilliamN 465 Reputation points
    2024-06-03T11:38:14.9333333+00:00

    Yes, it is possible to create a custom policy in Azure AD B2C that forces users to reset their password without first sending an email. This involves configuring a custom user journey in your policy. Below are the steps to achieve this:

    Step 1: Create a Custom Policy

    1. Sign in to the Azure portal:
      • Navigate to Azure Active Directory.
        • Go to B2C Custom Policies under the Policies section.
          • Click New custom policy to create a new one.

    Step 2: Configure the Force Password Reset Step

    1. In your custom policy files (TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, SignUpOrSignIn.xml):
      • Add a Self-Asserted Technical Profile for the password reset step.
        • Customize the technical profile to include the following:
    xmlCopy code
    <ClaimsProvider>
    

    Step 3: Skip the Send Email Step

    To skip the email step:

    • Modify the technical profile for LocalAccountWritePasswordUsingObjectId:
    • Set the EnforceEmailVerification metadata item to false.

    Example:

    xmlCopy code
    <TechnicalProfile Id="LocalAccount-WritePasswordUsingObjectId">
    

    Step 4: Define the Custom User Journey

    In your TrustFrameworkExtensions.xml, define the custom user journey to start with the password reset step:

    xmlCopy code
    <TrustFrameworkPolicy ...>
    

    Step 5: Test the Custom Policy

    1. Assign the custom policy to a test user.
    2. Trigger the password reset flow and verify that the user sees the reset password screen without receiving an email.

    Remember to adjust the policy settings according to your organization’s requirements.You can create a custom policy in Azure Active Directory (Azure AD) that enforces a force password reset without sending an email notification. Let’s walk through the steps:

    Step 1: Create a Custom Policy

    1. Sign in to the Azure portal:
      • Navigate to Azure Active Directory.
        • Go to B2C Custom Policies under the Policies section.
          • Click New custom policy to create a new one.

    Step 2: Configure the Force Password Reset Step

    1. In your custom policy files (TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, SignUpOrSignIn.xml):
      • Add a Self-Asserted Technical Profile for the password reset step.
        • Customize the technical profile to include the following:
    xmlCopy code
    <ClaimsProvider>
    

    Step 3: Skip the Send Email Step

    To skip the email step:

    • Modify the technical profile for LocalAccountWritePasswordUsingObjectId:
    • Set the EnforceEmailVerification metadata item to false.

    Example:

    xmlCopy code
    <TechnicalProfile Id="LocalAccount-WritePasswordUsingObjectId">
    

    Step 4: Define the Custom User Journey

    In your TrustFrameworkExtensions.xml, define the custom user journey to start with the password reset step:

    xmlCopy code
    <TrustFrameworkPolicy ...>
    

    Step 5: Test the Custom Policy

    1. Assign the custom policy to a test user.
    2. Trigger the password reset flow and verify that the user sees the reset password screen without receiving an email.

    Remember to adjust the policy settings according to your organization’s requirements.

    I hope this helps.


  2. WilliamN 465 Reputation points
    2024-06-04T14:33:19.6533333+00:00
    1. User Flows (Recommended):
      • Password Reset User Flow: Yes, you can set up a user flow for password reset in Azure AD B2C. This provides a straightforward way to enable users to reset their passwords using the "Forgot your password?" link.
      • B2C_1_passwordreset: This is a placeholder name used as an example. When you create a password reset user flow in Azure AD B2C, it will be assigned a unique identifier based on your Azure AD B2C tenant and the specific user flow you create. You won't find a predefined user flow named B2C_1_passwordreset; it will be named based on your configuration.
    2. Custom Policies:
      • Password Reset Custom Policy: Alternatively, you can create a custom policy to handle the password reset process. This option offers more flexibility and customization options to tailor the user experience according to your specific requirements.
      • B2C_1A_PasswordResetFlow: Similarly, this is a placeholder identifier for a custom policy. When you create or customize a custom policy for password reset, you'll define the technical profiles and user journeys needed for your scenario. The name B2C_1A_PasswordResetFlow would be specific to your implementation and should be replaced with a meaningful name for your custom policy.

    Both user flows and custom policies offer solutions for implementing password reset functionality in Azure AD B2C. The choice between them depends on your requirements for customization and control over the user experience.