Thank you for posting this in Microsoft Q&A.
I understand your concerns regarding the impact of the missing rate-limiting on Azure AD B2C's forgot password feature.
The lack of rate-limiting on Azure AD B2C's forgot password feature can potentially allow an attacker to perform a brute-force attack on a user's account, which can lead to unauthorized access to the account and attempting to reset passwords for multiple accounts in a short period of time.
An attacker could exploit this vulnerability by continuously sending requests to the 'forgot password' feature using various usernames or email addresses in an attempt to identify the correct one. In the absence of rate-limiting, an attacker is able to make numerous requests rapidly, thereby enhancing the likelihood of a successful brute-force attack and potentially rendering the 'forgot password' feature inaccessible to legitimate users.
The lack of rate-limiting can also cause damage to the mailbox's reputation if the forgot password feature sends a large number of emails to the mailbox. This can trigger spam filters and cause legitimate emails from the mailbox to be marked as spam.
Apart from custom policy Azure AD B2C provides a feature called "smart lockout" that can be used to implement rate-limiting on the forgot password feature. This feature can be configured to lock out accounts after a specified number of failed passwords reset attempts.
For more information: https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management
another solution, Implementing CAPTCHA on the forgot password page can help prevent automated attacks by requiring users to complete a CAPTCHA challenge before submitting a password reset request
For your reference: CAPTCHA in Azure Active Directory B2C
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.