Why does e-mail verification needs to be done 2 times for self-service password reset in Azure Ad B2C?

bogdan.bledea 31 Reputation points
2021-05-12T11:40:25.333+00:00

I'm trying to use self service password reset for my tenant in Azure AD B2C, but for some reason the verification of email needs to be done twice after you click on "Forgot your password?" link. Any idea why?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,949 questions
{count} votes

Accepted answer
  1. Saurabh Sharma 23,821 Reputation points Microsoft Employee
    2021-05-17T17:42:02.883+00:00

    Hi @bogdan.bledea ,

    I have received confirmation from products team and this is the default behavior that you are experiencing. You are seeing the MFA coming up twice while resetting the Password using the SSPR for B2C using the SignUp-SignIn Policies, as the default behavior for Password Reset flow (through SignUp-SignIn policies) is that you need to put you email and get the code sent to your email and once the code is entered to the B2C password reset page, you would be asked to enter the new password and confirm new password. But if you enable MFA for your SignUp-SignIn policy, and then try to reset the password, you would first go by the default flow for SSPR i.e enter your email address and get the code sent to your email and second, once you enter the code the next page is the MFA page, that would bring up the MFA method that is selected in the SignUp-SignIn Policy.
    In case you want to update this behavior, you would have to use the custom policies.

    Please let me know if you have any questions.

    Thanks
    Saurabh


2 additional answers

Sort by: Most helpful
  1. Jonathan Jones 20 Reputation points
    2023-07-26T07:59:06.6166667+00:00

    Hi, I've also encountered this recently and its getting customers confused. They are wondering why they have to do the same verification step again and think its a bug. A custom policy for this seems a bit confusing and hard to write as you would need to disable the email verification if they've already done it as part of the password reset. Is there any Microsoft examples on how this could be done?

    4 people found this answer helpful.

  2. Esteban Luchsinger 0 Reputation points
    2024-11-29T12:54:18.84+00:00

    First, may make sense from a developer's perspective, if one developer is focused on MFA and one developer is focused on password reset.

    This does absolutely makes no sense from a UX perspective. The first email is fine. It'll make sure it's the correct email address and belongs to the claimant person. The second email is absolutely not fine. The email has already been verified and the system should remember this happened 5 seconds ago.

    This is a no-go and it's only one of the many drawbacks of using AAD B2C. Very poor user experience and the workaround to use custom policies seems to always be the solution. The real solution here should be that the default makes sense for >90% of the cases, while now it's the other way around.

    Concretely, this behavior has caused that almost no single user is able to reset password without opening a support ticket. This should be basic functionality.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.