This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 15%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
I'm trying to use self service password reset for my tenant in Azure AD B2C, but for some reason the verification of email needs to be done twice after you click on "Forgot your password?" link. Any idea why?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi @bogdan.bledea ,
Is this happening every time ? Have you tried the email verification for any other user account ? I have tried this on my local account with a guest user and I received only one email.
Thanks
Saurabh
Yes, but this is because MFA is activated. So when the MFA is activated for the self-service password reset for a SignIn (Recommended) user flow you have to verify the e-mail twice.
Is there any way I can disabled MFA for the self-service password reset flow and not for login?
Hi @bogdan.bledea ,
Have you tried disabling the MFA enforcement on Password reset user flow in your Azure AD B2C directory.
Thanks
Saurabh
Hi,
I've tried that, but it's the same.
Maybe I can only achieve something like this only using custom policy. I was expecting that first verification to be enough.
Thanks a lot.
@bogdan.bledea ok, let me check internally with the products team on the same. I will get back to you once I hear back from them.
Thanks
Saurabh
Can't wait to hear from you.
Thanks a lot,
Bogdan.
Hi @bogdan.bledea ,
I have received confirmation from products team and this is the default behavior that you are experiencing. You are seeing the MFA coming up twice while resetting the Password using the SSPR for B2C using the SignUp-SignIn Policies, as the default behavior for Password Reset flow (through SignUp-SignIn policies) is that you need to put you email and get the code sent to your email and once the code is entered to the B2C password reset page, you would be asked to enter the new password and confirm new password. But if you enable MFA for your SignUp-SignIn policy, and then try to reset the password, you would first go by the default flow for SSPR i.e enter your email address and get the code sent to your email and second, once you enter the code the next page is the MFA page, that would bring up the MFA method that is selected in the SignUp-SignIn Policy.
In case you want to update this behavior, you would have to use the custom policies.
Please let me know if you have any questions.
Thanks
Saurabh
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 30%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWS%3C/text%3E%3C/svg%3E)
Can you expand on this please. What specific change needs to be enabled on the custom policy?
Do you have specific code examples that show how to write this custom policy? I think pretty much anyone who makes it to this page would probably suspect that a custom solution was required so this is not helpful information without an example.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 46%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Hi, I've also encountered this recently and its getting customers confused. They are wondering why they have to do the same verification step again and think its a bug. A custom policy for this seems a bit confusing and hard to write as you would need to disable the email verification if they've already done it as part of the password reset. Is there any Microsoft examples on how this could be done?
Asked multiple times at this point. No examples given from MS.