This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 7.000000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
We need some users to have the user Administrator role so they can rest passwords of the consumer account but once the password is reset from the Azure B2C user blade does not work and when logging in with the new supplied password user receives "The password has expired."
What should be the way forward?
Hello @SaqibAhmed-1948
This is expected. When you reset the password using admin account from Azure AD Portal, a temporary password is generated which is marked as expired and requires the user to provide a new password. Since, in B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password of consumer accounts.
You may consider using one of the below custom policies:
Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
@Saqib Ahmed Please let me know if the answer helped. Feel free to tag me in your reply, if you any question.
Hi Aman
Indeed it was. thanks
@Saqib Ahmed Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 99%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hello @AmanpreetSingh-MSFT - thanks for the reply.
Given that "In B2C, administrator accounts cannot be used to reset password of consumer accounts." - then how could we implement a flow where the customer support team could reset the password of a user? Does B2C only supports self-service password reset?
Thanks,
Mau
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
I agree - it should be easier to configure B2C to allow support teams and administrators to reset passwords on behalf of the user. This is a very common use case.
@AmanpreetSingh-MSFT - is there any work being done to make it easier for support teams or administrators to reset users passwords, please? If not, how should we place a request for that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 47%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
@AmanpreetSingh-MSFT
does this links saying the same which you said!
https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-custom-policy#overview
my scenario is that i have created user using graph API setting an initial "password" and it is login successfully using this password, what i want now is that at his first login he should be asked to reset his password.
what should i do do make it functional(i don't need to reset user password from azure portal)
user himself should reset it on his first longin.
any help will be appreciated.
@Code Bit · I've posted an answer to your question here: https://learn.microsoft.com/en-us/answers/questions/332401/azure-adb2c-user-created-through-ms-graph-api-shou.html
yes i have seen that answer thanks a lot, ill try and test that and get back to u...currently i have an other question that is i want to create users from different tenants using graph API, what ate the steps...as i am able to create local and work accounts successfully but they are only within the tenant with which graph api is listening to.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 9%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Hi Aman,
If the expected result is for Azure AD to create an expired password, why does it say "...will be assigned a temporary password that must be changed on the next sign in." and "Provide this temporary password to the user so they can sign in."?
Thanks,
Paul
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 49%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
It is possible to set a new password using the following Powershell cmdlet - although this is a workaround that is far from ideal
Connect-AzureAD -TenantId <tenantId>
$Password = ConvertTo-SecureString -String "TheNewPassword" -Force –AsPlainText
Set-AzureADUserPassword -ObjectId <userId> -Password $Password
Thanks for creating the force password reset policy it was very helpful.
However, why the decision to create these json key/values that don't follow a specific graph API schema? we now have to be aware to publish this json property "extension_YOURAPPIDGUIDWITHOUTDASHES_mustResetPassword".
The downstream effects are pretty heavy... for example:
In terms of creating api wrappers, etc this become difficult if it's not part of a schema. Also we lose intellisense and difficult to create documentation for.
In our situation we have a c# class that is serialized and pushed to the API endpoint, we now have to add a property "extension_YOURAPPIDGUIDWITHOUTDASHES_mustResetPassword" (and/or make use of the json property attrib). Even worse if you have mutiple environments / Azure AD applications.
Wouldn't it be cleaner to create a "applicationExtensionAttributes" (as an example) as part of the schema:
{
"objectId": null,
"accountEnabled": true,
"applicationExtensionAttributes": {
"applications": [{
"id": "GUID-1",
"attributes": [{
"key": "mustResetPassword",
"value": true
},
{
"key": "whatEverIWant",
"value": "can go here"
}
]
}]
}
}
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 61%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
I believe the linked Force password reset first logon custom policy in the accepted answer has been mitigated by time?
When enabling Self-service password reset and/or Forced password reset on the user flows, creating new users with this password profile does the job "out of the box" in our scenario:
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"passWord": "1234abCD#"
}