Where Do I report an AzureB2C Bug invloving SignIn User Flow's "Self-service Password Reset" with MFA enabled Requiring Verification Email Twice?

Jessie Potts 1 Reputation point
2021-11-24T19:55:18.117+00:00

There is a bug in the Self-servie Password Reset" process when Multi Factor Authentication is enabled. Where is the appropriate location to report this bug so the issue can be resolved?

Steps To Repoduce Bug:

  1. Create SignIn user flow using the recommended version
  2. Enable Multi Factor Authentication using Email
    152393-mfa.png
  3. Enable "Self-service Password Reset"
    152318-self-service-pwd-reset.png
  4. Run user flow
  5. Click "Forgot your password?" link
    152279-image.png
  6. Enter email address and click "Send verification code" button
  7. Retrieve code from email and paste into "Verification Code" field
  8. Click "Verify Code" button
  9. After code is verified, click "Continue" button
  10. You are now presented with the same form to send a verification code <--- this is the bug
  11. Repeat steps 6 through 9
  12. New Password/Confirm New Password options now appear
  13. Whew!

Thanks for any help you can provide!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,738 questions
{count} votes

2 answers

Sort by: Most helpful
  1. James Hamil 22,976 Reputation points Microsoft Employee
    2021-11-28T17:30:44.747+00:00

    Hi @Jessie Potts , I've reported this to the product team. I'll let you know the fix to your issue when they find it!

    Best,
    James

    0 comments No comments

  2. James Hamil 22,976 Reputation points Microsoft Employee
    2021-12-02T23:44:42.23+00:00

    Hi @Jessie Potts , the product team got back to me with an answer. This is the default behavior as of now. Creating a SUSI user flow with MFA and SSPS enabled will trigger the MFA request twice. An alternative is either to two separate flows (one for SUSI with MFA enabled, another for Password Reset with MFA disabled) or use custom policies. See: Why does e-mail verification needs to be done 2 times for self-service password reset in Azure Ad B2C?

    They are aware of this issue and it will be resolved soon hopefully.

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James