This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 62%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
I have followed all the steps here (https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started) in order to create a custom policy. I am able to create an account, but when I attempt to log in I receive the "Invalid username or password" message. I am able to use that account to log in using the built-in user flows but not the custom policies. Unfortunately, the documentation does not show full examples, but after re-reading this about 1000 times I think I am doing this correctly. If anyone has any suggestions on how to debug the issue or what I might be doing incorrectly, please let me know.
Ok, I just uploaded the important ones. I don't think profile edit or password reset come into play for the sign in flow.
@alfredo-msft-identiy any update on this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @SteveDEgenhardt-8910,
Were you mainly hoping for troubleshooting guidance? This guide has some steps showing the best way to validate the policies. https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-custom-policies?tabs=app-reg-ga
Is your client type set to private by chance? If you set the client type to public that can resolve this error. Also, please make sure the access and ID tokens are enabled.
If you would like to have a support case opened for this, you can feel free to email me at AzCommunity@microsoft.com and I can enable one for you.
Any assistance that can be provided would be appreciated. I thought the request to send the policies and provide more info was an acknowledgement that our issue was being worked on. We have been stuck on the most basic issue for more than a month. At this point, we don't have much time to implement and we will use Okta to implement our solution but in parallel try to work out our B2C issues and we hope that is our long term solution.
Also, I did send an email to the address provided above.
Hi @SteveDegenhardt-8910. Yes, I left a comment: https://learn.microsoft.com/answers/comments/54768/view.html
@MarileeTurscak is there a case number or some info I should be getting back (in re to you opening a case for this)?
In your IdentityExperienceFramework app manifest:
Change:
"accessTokenAcceptedVersion": 2,
To (default value):
"accessTokenAcceptedVersion": null,
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
@alfredo-revilla-msft This resolved the issue. I have no idea how this would have been set (I did not edit the manifest directly), so probably something I changed in the UI and when I changed it back it failed to update. But this worked. Thank you for your assistance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 5%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETJ%3C/text%3E%3C/svg%3E)
I am experiencing the same issue, but I cannot set accessTokenAcceptedVersion to null. If I try, I get the error:
"Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [Qlq/E]"
Is there another workaround?
Ensure the following value is set:
"signInAudience": "AzureADandPersonalMicrosoftAccount"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 5%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Same here!
Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [hd++9]
its already there.
@Peter @Travis Johnson try recreating both IEF applications. IF that does not solve the issue please create a new post to better address the problem.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 54%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
App manifest doc says 'If signInAudience is AzureADandPersonalMicrosoftAccount, the value [of accessTokenAcceptedVersion] must be 2.' (accessTokenAcceptedVersion attribute)
Im using same tenant local accounts only and was able to run custom policies by setting:
"signInAudience": "AzureADMyOrg" (signInAudience attribute) and
accessTokenAcceptedVersion": null
Our team actually abandoned AD B2C in favor of AWS Cognito because of this issue and this other one that threw out our plans for federation https://learn.microsoft.com/en-us/answers/questions/2222/azure-b2c-oidc-the-key-type-ec-from-the-json-web-k.html
It helped, thank you so much!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 72%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I spent 2 days on this issue, and if finally came down to a mix up of the ProxyIdentityExperienceFrameworkAppId and the IdentityExperienceFrameworkAppId.
Just a point to keep in note, when you are creating the two IDs you create the IdentityExperienceFrameworkAppId first. I was entering that (without paying much attention) when updating TrustFrameworkExtensions.xml
Keep mind that the first ID in the xml file is the ProxyIdentityExperienceFrameworkAppId!!! ..,, darn!! Its miss that you can not find easily since the error you get is "user name password is not correct".
--Andrew
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 77%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
I had the same issue. The change that resolved it that I deleted IdentityExperienceFramework and ProxyIdentityExperienceFramework applications created under b2c "blade" (weird name), and created them under AAD. That means that before doing this step https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-identityexperienceframework-application and this one https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-proxyidentityexperienceframework-application navigate to AAD and then to App registrations
Please take a look to Get started with custom policies in Azure Active Directory B2C. It covers the basic setup, authenticating with local (Azure AD B2C directory) accounts and facebook accounts.
That is the documentation that I am following. I have read through it probably 20 times now, still cannot get it to work. I don't know where to go for assistance or debugging the issue. The only thing I can do is to follow that page over and over again in order to get the same result, lol.
Typically the issue has to do with the Proxy or Identity in the Extensions, but I have checked that over and over and it appears correct to me.
Please share your policies to review them.
I have enclosed those below, thanks!
Shared policies are fine. What OAuth2 flow are you using? Authorization, implicit or ROPC? Please share additional error details if available (request or correlation id) and/or follow the steps detailed in Collect Azure Active Directory B2C logs with Application Insights and share generated logs.
Sorry Alfredo, I did not see this message, I have been checking the bottom of this issue for updates and did not realize you posted to a thread.
We are simply trying to run the policy from Azure B2C. We have App Insights logging turned on, but not receiving anything of much use.
@Steve Degenhardt actually they pack a great deal of useful detail. Look for the ones with entries of type "HandlerResult" with a Content\Exception field present.
Ok, I will upload an event that I captured. I can see that a token is being returned, everything looks good, but still do not understand the response.
Still receiving "invalid username or password" despite getting a token. By getting a token, I mean I can see a valid token in the json file (that I have uploaded).
Ok great. I will analyze the logs and come back to you ASAP.
@Steve Degenhardt can you double check/ensure ief applications have been properly created and configured?
I am not trying to test this from an app, but rather directly from "Run" custom policy from B2C. I have register an application and that looks good as far as I can tell.
These are Azure AD app registrations. Ensure they've been properly setup following the steps detailed in Register Identity Experience Framework applications.
@Steve Degenhardt or better yet please provide the app manifest for both Identity Experience Framework applications.
@Steve Degenhardt added a new answer.
I have read through it probably 2000 times now!!! still cannot get it to work!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 9%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Same issue, testing SignUpOrSignin.xml custom policy and can create local users ok but cannot login
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 83%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
When initially trying to upload TrustFrameworkBase.xml I received a validation error. I went looking around in that file and in the <TechnicalProfile Id="login-NonInteractive"> section I found these items:
<Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
"Well that looks weird," I thought, "I'll try replacing {tenant} with my tenant name." Boom, no validation error! No mention of it in the tutorial, but oh well—it works, so, moving on...
Later, I run into the principle problem of this thread where sign up works but not sign in. After trying many things, I wondered about my "fix" for that validation error. So...
I switched the METADATA and authorization_endpoint URLs back to the default (as above) and uploaded the file with the Overwrite the custom policy if it already exists checkbox selected. No validation issues. Weird. But Ok, great, let's try signing in... Lo and behold, that seemed to do the trick: Sign in works now.
Hopefully sharing this helps someone else ♥