Unable to sign on using custom policy

Question

Unable to sign on using custom policy

Steve Degenhardt 61

I have followed all the steps here (https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started) in order to create a custom policy. I am able to create an account, but when I attempt to log in I receive the "Invalid username or password" message. I am able to use that account to log in using the built-in user flows but not the custom policies. Unfortunately, the documentation does not show full examples, but after re-reading this about 1000 times I think I am doing this correctly. If anyone has any suggestions on how to debug the issue or what I might be doing incorrectly, please let me know.

Steve Degenhardt 61 Reputation points

2020-07-22T12:22:55.897+00:00

13268-b2c-1a-trustframeworkextensions.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:23:24.287+00:00

13363-b2c-1a-signup-signin.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:23:54.607+00:00

13325-b2c-1a-trustframeworkbase.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:24:50.313+00:00

Ok, I just uploaded the important ones. I don't think profile edit or password reset come into play for the sign in flow.
Steve Degenhardt 61 Reputation points

2020-07-22T12:59:45.31+00:00
Steve Degenhardt 61 Reputation points

2020-07-27T17:32:27.833+00:00

@alfredo-msft-identiy any update on this?
Marilee Turscak-MSFT 37,376 Reputation points Microsoft Employee Moderator

2020-07-27T20:47:31.737+00:00

Hi @SteveDEgenhardt-8910,

Were you mainly hoping for troubleshooting guidance? This guide has some steps showing the best way to validate the policies. https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-custom-policies?tabs=app-reg-ga

Is your client type set to private by chance? If you set the client type to public that can resolve this error. Also, please make sure the access and ID tokens are enabled.

If you would like to have a support case opened for this, you can feel free to email me at AzCommunity@microsoft.com and I can enable one for you.
Steve Degenhardt 61 Reputation points

2020-07-28T14:17:47.053+00:00
Any assistance that can be provided would be appreciated. I thought the request to send the policies and provide more info was an acknowledgement that our issue was being worked on. We have been stuck on the most basic issue for more than a month. At this point, we don't have much time to implement and we will use Okta to implement our solution but in parallel try to work out our B2C issues and we hope that is our long term solution.

I am reading through the link you suggested. It seems we are already doing those things but will double-check.

I do have my client set to public and access and id tokens have been selected.

I will open a support case as you suggested. I didn't realize this was an option or would have done this weeks ago. I keep getting pushed from one site to another and it frustrating.
Steve Degenhardt 61 Reputation points

2020-07-29T16:08:46.347+00:00

Also, I did send an email to the address provided above.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-07-29T23:27:12.857+00:00

Hi @SteveDegenhardt-8910. Yes, I left a comment: https://learn.microsoft.com/answers/comments/54768/view.html
Steve Degenhardt 61 Reputation points

2020-07-31T12:10:18.773+00:00

@MarileeTurscak is there a case number or some info I should be getting back (in re to you opening a case for this)?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer accepted by question author

8 additional answers

Your answer

Steve Degenhardt 61 Reputation points

2020-07-22T12:22:55.897+00:00

13268-b2c-1a-trustframeworkextensions.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:23:24.287+00:00

13363-b2c-1a-signup-signin.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:23:54.607+00:00

13325-b2c-1a-trustframeworkbase.xml
Steve Degenhardt 61 Reputation points

2020-07-22T12:24:50.313+00:00

Ok, I just uploaded the important ones. I don't think profile edit or password reset come into play for the sign in flow.
Steve Degenhardt 61 Reputation points

2020-07-22T12:59:45.31+00:00
Steve Degenhardt 61 Reputation points

2020-07-27T17:32:27.833+00:00

@alfredo-msft-identiy any update on this?
Marilee Turscak-MSFT 37,376 Reputation points Microsoft Employee Moderator

2020-07-27T20:47:31.737+00:00

Hi @SteveDEgenhardt-8910,

Were you mainly hoping for troubleshooting guidance? This guide has some steps showing the best way to validate the policies. https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-custom-policies?tabs=app-reg-ga

Is your client type set to private by chance? If you set the client type to public that can resolve this error. Also, please make sure the access and ID tokens are enabled.

If you would like to have a support case opened for this, you can feel free to email me at AzCommunity@microsoft.com and I can enable one for you.
Steve Degenhardt 61 Reputation points

2020-07-28T14:17:47.053+00:00

Any assistance that can be provided would be appreciated. I thought the request to send the policies and provide more info was an acknowledgement that our issue was being worked on. We have been stuck on the most basic issue for more than a month. At this point, we don't have much time to implement and we will use Okta to implement our solution but in parallel try to work out our B2C issues and we hope that is our long term solution.

I am reading through the link you suggested. It seems we are already doing those things but will double-check.

I do have my client set to public and access and id tokens have been selected.

I will open a support case as you suggested. I didn't realize this was an option or would have done this weeks ago. I keep getting pushed from one site to another and it frustrating.
Steve Degenhardt 61 Reputation points

2020-07-29T16:08:46.347+00:00

Also, I did send an email to the address provided above.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-07-29T23:27:12.857+00:00

Hi @SteveDegenhardt-8910. Yes, I left a comment: https://learn.microsoft.com/answers/comments/54768/view.html
Steve Degenhardt 61 Reputation points

2020-07-31T12:10:18.773+00:00

@MarileeTurscak is there a case number or some info I should be getting back (in re to you opening a case for this)?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Moderator

In your IdentityExperienceFramework app manifest:

Change:

"accessTokenAcceptedVersion": 2,

To (default value):

"accessTokenAcceptedVersion": null,

Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

Steve Degenhardt 61 Reputation points

2020-08-10T12:34:16.773+00:00

@alfredo-revilla-msft This resolved the issue. I have no idea how this would have been set (I did not edit the manifest directly), so probably something I changed in the UI and when I changed it back it failed to update. But this worked. Thank you for your assistance.
Travis Johnson 6 Reputation points

2020-08-25T22:14:04.39+00:00

I am experiencing the same issue, but I cannot set accessTokenAcceptedVersion to null. If I try, I get the error:

"Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [Qlq/E]"

Is there another workaround?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-08-26T21:31:14.547+00:00

Ensure the following value is set:

"signInAudience": "AzureADandPersonalMicrosoftAccount"
Peter 16 Reputation points

2020-10-05T00:39:16.587+00:00

Same here!

Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [hd++9]
Peter 16 Reputation points

2020-10-05T00:40:12.17+00:00

its already there.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-10-05T17:27:06.677+00:00

@Peter @Travis Johnson try recreating both IEF applications. IF that does not solve the issue please create a new post to better address the problem.
Bhavik Barve 1 Reputation point

2020-10-10T19:57:26.31+00:00

App manifest doc says 'If signInAudience is AzureADandPersonalMicrosoftAccount, the value [of accessTokenAcceptedVersion] must be 2.' (accessTokenAcceptedVersion attribute)

Im using same tenant local accounts only and was able to run custom policies by setting:
"signInAudience": "AzureADMyOrg" (signInAudience attribute) and
accessTokenAcceptedVersion": null

@Peter @Travis Johnson
Travis Johnson 6 Reputation points

2020-10-10T20:02:43.523+00:00

Our team actually abandoned AD B2C in favor of AWS Cognito because of this issue and this other one that threw out our plans for federation https://learn.microsoft.com/en-us/answers/questions/2222/azure-b2c-oidc-the-key-type-ec-from-the-json-web-k.html
Daniel Krzyczkowski 501 Reputation points MVP

2022-11-01T11:20:26.773+00:00

It helped, thank you so much!
andrewz 20 Reputation points

2023-04-03T14:53:20.52+00:00

I spent 2 days on this issue, and if finally came down to a mix up of the ProxyIdentityExperienceFrameworkAppId and the IdentityExperienceFrameworkAppId.

Just a point to keep in note, when you are creating the two IDs you create the IdentityExperienceFrameworkAppId first. I was entering that (without paying much attention) when updating TrustFrameworkExtensions.xml

Keep mind that the first ID in the xml file is the ProxyIdentityExperienceFrameworkAppId!!! ..,, darn!! Its miss that you can not find easily since the error you get is "user name password is not correct".

--Andrew

Answer 2

Sharad Taur 11

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ....any luck on this issue....i have followed every step of documentation but still not able to sign in using Custom Policy....it works for sign up but not for sign in

Answer 3

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA Similar issue as mentioned by others 1. Created custom policy 2. Able to run policy "B2C_1A_signup_signin" and create user 3. Post signup token created successfully and redirected to jwt.ms and able to see the created username in the token. 4. When i try to signin with the same created user it shows error message "The username or password provided in the request are invalid." 5. I could able to login with the newly created user through "Userflows"

Read the document several times, deleted and recreated the two app(proxy and identityexp framework) registers mentioned in the documentation no success.

Any help would be appreciated.63218-b2c-insights-query-data.txt

Answer 4

Trung Nguyen 6

Same issue. I was testing B2C_1A_SIGNUP_SIGNIN and I could create user but could not login.
Then I read the document again and found out that "allowPublicClient": null, so I updated it as the document then I worked.
Hope that helps!

Anonymous

2021-09-06T10:10:31.073+00:00

Was already set up
Håland, Geir Atle 0 Reputation points

2023-03-31T08:44:48.2666667+00:00

This worked for me, thank you !

Answer 5

NHering22101 106

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA same issue here with code flow. Any updates?

Share via

Unable to sign on using custom policy

8 additional answers

Your answer