Azure AD B2C Password Reset

víctor arranz 0

Hi, I want to create a custom policy where the first step would be a force password reset step. I want to ask if it is possible to skip the send email previous step, so that the user starts by just seeing the reset password screen. Is it possible? If so, how?

2 answers

William 620 Reputation points

2024-06-03T11:38:14.9333333+00:00
Yes, it is possible to create a custom policy in Azure AD B2C that forces users to reset their password without first sending an email. This involves configuring a custom user journey in your policy. Below are the steps to achieve this:

Step 1: Create a Custom Policy

Sign in to the Azure portal:

Navigate to Azure Active Directory.

Go to B2C Custom Policies under the Policies section.

Click New custom policy to create a new one.

Step 2: Configure the Force Password Reset Step

In your custom policy files (TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, SignUpOrSignIn.xml):

Add a Self-Asserted Technical Profile for the password reset step.

Customize the technical profile to include the following:

xmlCopy code <ClaimsProvider>

Step 3: Skip the Send Email Step

To skip the email step:

Modify the technical profile for LocalAccountWritePasswordUsingObjectId:

Set the EnforceEmailVerification metadata item to false.

Example:

xmlCopy code <TechnicalProfile Id="LocalAccount-WritePasswordUsingObjectId">

Step 4: Define the Custom User Journey

In your TrustFrameworkExtensions.xml, define the custom user journey to start with the password reset step:

xmlCopy code <TrustFrameworkPolicy ...>

Step 5: Test the Custom Policy

Assign the custom policy to a test user.

Trigger the password reset flow and verify that the user sees the reset password screen without receiving an email.

Remember to adjust the policy settings according to your organization’s requirements.You can create a custom policy in Azure Active Directory (Azure AD) that enforces a force password reset without sending an email notification. Let’s walk through the steps:

Step 1: Create a Custom Policy

Sign in to the Azure portal:

Navigate to Azure Active Directory.

Go to B2C Custom Policies under the Policies section.

Click New custom policy to create a new one.

Step 2: Configure the Force Password Reset Step

In your custom policy files (TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, SignUpOrSignIn.xml):

Add a Self-Asserted Technical Profile for the password reset step.

Customize the technical profile to include the following:

xmlCopy code <ClaimsProvider>

Step 3: Skip the Send Email Step

To skip the email step:

Modify the technical profile for LocalAccountWritePasswordUsingObjectId:

Set the EnforceEmailVerification metadata item to false.

Example:

xmlCopy code <TechnicalProfile Id="LocalAccount-WritePasswordUsingObjectId">

Step 4: Define the Custom User Journey

In your TrustFrameworkExtensions.xml, define the custom user journey to start with the password reset step:

xmlCopy code <TrustFrameworkPolicy ...>

Step 5: Test the Custom Policy

Assign the custom policy to a test user.

Trigger the password reset flow and verify that the user sees the reset password screen without receiving an email.

Remember to adjust the policy settings according to your organization’s requirements.

I hope this helps.
Please sign in to rate this answer.
víctor arranz 0 Reputation points

2024-06-03T12:25:07.6966667+00:00

Could you give me an example of the whole flow? As the objectId is not known in that moment I don't understand how to do

víctor arranz 0 Reputation points

2024-06-04T07:15:29.9166667+00:00

Hello?

William 620 Reputation points

2024-06-04T11:45:33.4566667+00:00

I apologize @víctor arranz for not seeing your message earlier, and I'm sorry for the late reply.

To address your question, let me walk you through an example of creating a custom Azure AD B2C policy where the first step is a password reset, and the objectId is not known initially. Here’s how you can achieve this:

High-Level Flow

User Initiates Password Reset: The user starts the password reset process.

User Provides Identifier: The user provides their username or email.

Retrieve User Object: Azure AD B2C looks up the user by the provided identifier and retrieves the objectId.

Password Reset Screen: The user is then prompted to enter a new password.

Update Password: The new password is saved for the user.

Step-by-Step Guide

Set Up Azure AD B2C and Custom Policies

Ensure you have an Azure AD B2C tenant and have downloaded the custom policy starter pack from the Azure AD B2C GitHub repository.

Modify TrustFrameworkBase.xml

This file typically does not require extensive changes for this scenario. Ensure it includes the necessary claims and transformations for user identification and password reset.

Modify TrustFrameworkExtensions.xml

Here’s an example configuration for TrustFrameworkExtensions.xml:

xmlCopy code <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06">

Define Supporting Technical Profiles

Add the necessary technical profiles in TrustFrameworkExtensions.xml to support collecting the email and reading user information.

Collect Email Technical Profile:

xmlCopy code <TechnicalProfile Id="SelfAsserted-CollectEmail">

AAD User Read Using Email Address Technical Profile:

xmlCopy code <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">

Modify the Password Reset Policy (PasswordReset.xml)

Ensure your password reset policy references the user journey defined in TrustFrameworkExtensions.xml.

Example Configuration:

xmlCopy code <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06">

Upload and Test Custom Policies

Upload Policies: In the Azure portal, navigate to "Identity Experience Framework" under your Azure AD B2C tenant and upload the modified policy files (TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, PasswordReset.xml).

Test the Policy: Run the policy by navigating to the "Policies" section and selecting your custom policy. Ensure that the password reset screen is displayed immediately upon user journey initiation.

Helpful Links

Azure AD B2C Custom Policies Starter Pack

Custom policy overview in Azure Active Directory B2C

Azure AD B2C: Custom policy starter pack

Define technical profiles in an Azure Active Directory B2C custom policy

By carefully configuring the TrustFrameworkExtensions.xml and PasswordReset.xml files, you can create a custom user journey in Azure AD B2C that directs users straight to a password reset screen without prior email verification. This approach leverages the powerful customization capabilities of Azure AD B2C to meet specific user experience requirements.

If this answer solves your issue, please vote for it so other community members know that this is a quality answer.

víctor arranz 0 Reputation points

2024-06-04T12:01:17.1266667+00:00

Thank you,

I would like to ask you if it is possible to achieve the following:

I just want the user to reset his password, I mean, I want the user to access to a url that leads him to the password reset screen and after that, redirects him to wherever it would be defined. Is it possible for me to generate a url that encapsulates the user information so that the directive gets it and makes him able to update his password in that way?

William 620 Reputation points

2024-06-04T12:30:18.91+00:00

Yes, it's definitely possible to achieve what you're looking for. We can generate a URL that directs the user straight to the password reset screen, and upon resetting the password, they'll be redirected to a destination of your choice.

To generate such a URL, we'll utilize Azure AD B2C's built-in functionality for password reset flows. By including specific parameters in the URL, we can encapsulate the necessary user information and trigger the password reset process seamlessly.

Here's an example URL structure:

bashCopy code https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_PasswordResetFlow/oauth2/v2.0/authorize?p=B2C_1A_PasswordResetFlow &client_id=your-client-id &nonce=defaultNonce &redirect_uri=https://yourapp.com/reset-password-success &scope=openid &response_type=code &response_mode=query &prompt=login

This URL will lead the user directly to the password reset screen. Once they've reset their password, they'll be redirected to https://yourapp.com/reset-password-success or any other destination you define.

víctor arranz 0 Reputation points

2024-06-04T13:49:33.9133333+00:00

And how I make the system know who the user is?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

víctor arranz 0 Reputation points

2024-06-04T14:15:41.6233333+00:00

And B2C_1A_PasswordResetFlow should be a custom policy or wher could I find it?
Sign in to comment
William 620 Reputation points

2024-06-04T14:33:19.6533333+00:00
User Flows (Recommended):

Password Reset User Flow: Yes, you can set up a user flow for password reset in Azure AD B2C. This provides a straightforward way to enable users to reset their passwords using the "Forgot your password?" link.

B2C_1_passwordreset: This is a placeholder name used as an example. When you create a password reset user flow in Azure AD B2C, it will be assigned a unique identifier based on your Azure AD B2C tenant and the specific user flow you create. You won't find a predefined user flow named B2C_1_passwordreset; it will be named based on your configuration.

Custom Policies:

Password Reset Custom Policy: Alternatively, you can create a custom policy to handle the password reset process. This option offers more flexibility and customization options to tailor the user experience according to your specific requirements.

B2C_1A_PasswordResetFlow: Similarly, this is a placeholder identifier for a custom policy. When you create or customize a custom policy for password reset, you'll define the technical profiles and user journeys needed for your scenario. The name B2C_1A_PasswordResetFlow would be specific to your implementation and should be replaced with a meaningful name for your custom policy.

Both user flows and custom policies offer solutions for implementing password reset functionality in Azure AD B2C. The choice between them depends on your requirements for customization and control over the user experience.
Please sign in to rate this answer.
víctor arranz 0 Reputation points

2024-06-04T15:00:47.5633333+00:00

But my issue is that I wat to create a url where the user info must be placed so as to make him click on the url and it redirects him to the screen where he just sets the new password. So, if I create a user flow and use it in my url I can't skip the steps of writing the email and receiving an otp code. So, my problems are: being able to create the url I want with the user information and then being able to link this url just to the password reset step, without anything else

William 620 Reputation points

2024-06-04T15:36:45.0666667+00:00

I apologize for any misunderstanding. While the built-in user flows in Azure AD B2C don’t allow skipping email verification and OTP steps, you can achieve this by creating a custom policy. Here are the steps:

Custom Policy Creation:

Create a custom policy in Azure AD B2C to define your own user journey.

Skip the email verification and OTP steps in your custom policy.

Generate a URL:
- Configure your custom policy. - Generate a URL pointing to the custom policy endpoint (e.g., **`https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/yourpolicyname`**). **Include User Information:** - Add user-specific information (e.g., email or unique identifier) as query parameters in the URL (e.g., **`?p=useremail@example.com`**).

Redirect to Password Reset:

When users click the URL, they’ll be redirected to your custom policy, which should automatically take them to the password reset step.

víctor arranz 0 Reputation points

2024-06-04T15:41:09.19+00:00

And what would be the orchestration steps in order to do that custom policy?

William 620 Reputation points

2024-06-04T16:03:07.0766667+00:00

To ensure efficient and effective assistance, I recommend contacting the Azure Support team. By working directly with Azure Support, you can avoid unnecessary back-and-forth on forums and receive personalized help tailored to your specific requirements.

víctor arranz 0 Reputation points

2024-06-05T07:11:37.55+00:00

How can I contact them?

Givary-MSFT 30,931 Reputation points Microsoft Employee

2024-06-05T08:49:44.01+00:00

@víctor arranz Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" along with your Azure subscription id and we will help you with support options on this.
Sign in to comment

Share via

Azure AD B2C Password Reset

2 answers