This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 57.99999999999999%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Users attempting to sign up using a magic link (email OTP verification) in Azure AD B2C receive an "Invalid verification code" error after approximately 2-3 minutes, even though the OTP expiration is configured for 20 minutes (1200 seconds). The issue ONLY occurs when users are NOT connected to corporate VPN.
Environment
Error Message
Root Cause Evidence - Cookie Analysis
We captured browser cookies in both scenarios and found a critical difference:
✅ Working (VPN enabled**) - 18 cookies:**
❌ Not Working (No VPN) - Only 4 cookies:
Decoded x-ms-cpim-trans Cookie Comparison
Working:
{"T_DIC":[
{"P":"b2c_1a_signup_signin","S":1},
{"P":"b2c_1a_signup","S":3}
],"C_ID":"[GUID-1]"}
Not Working:
{"T_DIC":[
{"P":"b2c_1a_signup","S":8}
],"C_ID":"[GUID-2]"}
The missing transaction history indicates session state is being lost.
Audit Log Evidence
B2C Audit logs show this pattern when it fails:
T+0:00 - Generate OTP: ✅ Success
T+2:34 - Verify OTP: ❌ "Session has expired"
T+5:45 - Verify OTP: ❌ "Code incorrect" (new session, old code invalid)
What We've Already Verified
Questions for Support
**Relevant Microsoft Documentation:**
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior
The session-behavior doc states: "If the user uses a browser that blocks
third-party cookies, there are limitations with SSO due to limited access
to the cookie-based session."
Our evidence suggests cookies are being lost/stripped when traffic does
NOT go through VPN, causing the B2C session to become invalid.
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Sven Goormans,
Based on the evidence you shared, this is not an OTP lifetime issue — it’s a session continuity problem.
Azure AD B2C does not validate the email OTP as a standalone value. The OTP is bound to the original transaction context (stored in x-ms-cpim-trans, C_ID, and related session cookies). When those cookies are missing or altered, B2C treats the request as a new journey, and the original OTP becomes invalid — even if it’s still within the 20-minute validity window.
From your comparison:
Not working (No VPN): transaction history missing → new C_ID → session interpreted as expired
This explains the audit log pattern:
OTP generated → success
Verify after ~2–3 min → “Session has expired”
Retry → “Code incorrect” (because a new session context exists)
The key issue appears to be that parent-domain cookies are not being sent when users are off VPN. This typically happens due to one of the following:
SameSite cookie restrictions (modern browser enforcement)
Domain attribute mismatch
Secure flag inconsistencies
Azure Front Door or proxy modifying/stripping cookies
Cross-site redirect between www.[CUSTOMER_SITE].com and login.[COMPANY_DOMAIN].com
To clarify your specific questions:
• B2C requires full transaction cookie continuity; its own .login.* cookies alone are not sufficient. • Yes — when transaction correlation fails, B2C effectively starts a new verification context, making the original OTP invalid. • Custom policies cannot override this behavior — OTP validation is session-bound by design. • This behavior is consistent with documented session handling limitations when cookies are blocked or treated as third-party. • B2C cannot validate OTP statelessly based only on the code value.
Recommended next checks:
Inspect Set-Cookie headers (non-VPN scenario) and confirm:
SameSite=None
`Secure`
Correct `Domain=.company_domain.com`
Verify Azure Front Door is not modifying or stripping cookies.
Confirm no domain switching or redirect mismatch during the user journey.
Test with third-party cookies explicitly enabled to validate SameSite impact.
Given that it works consistently on VPN, the difference strongly points to cookie handling along the non-VPN network path rather than a B2C policy configuration issue.
If needed, I can provide a structured debugging checklist for isolating the exact cookie behavior.
@kagiyama yutaka we've investigated our cloudflare instance, but we're not seeing any errors related to aadb2c.
Any other ideas are welcome! :-)
might be wrong here, but that 2–3 min timeout off‑VPN really looks like AFD hopping nodes and dropping the B2C session cookies on the redirect. pin it to one AFD path (no cache/WAF, sticky on) and see and every time I’ve hit this, the OTP suddenly lasts the full 20 mins.