This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 54%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Using the SignInAndSignUp custom policy, I can sign up and reset password successfully, I am logged in after Sign Up, but for some reason I can't Sign In.
I have the ApplicationIds set in TrustFrameworkExtensions.xml
Here is some data I got from AzureAD B2C VS Code Application Insights Extension:
Exceptions: Invalid username or password.
Validation technical profiles: login-NonInteractive
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
}
}
login-NonInteractive in TrustFrameworkBase.xml:
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<DisplayName>Local Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="ProviderName">https://sts.windows.net/</Item>
<Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
<Item Key="response_types">id_token</Item>
<Item Key="response_mode">query</Item>
<Item Key="scope">email openid</Item>
<!-- <Item Key="grant_type">password</Item> -->
<!-- Policy Engine Clients -->
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
<InputClaim ClaimTypeReferenceId="password" Required="true" />
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
login-NonInteractive in TrustFrameworkExtensions.xml:
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<Item Key="client_id">I have it set, but removed for question</Item>
<Item Key="IdTokenAudience">I have it set, but removed for question</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="I have it set, but removed for question" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="I have it set, but removed for question" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Any help?
Hi @Danilo Popovikj • Thank you for reaching out.
Could you please double check if ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId are added to the login-NonInteractive technical profile, as mentioned below, and not vise-versa by mistake.
Also make sure, in the B2C tenant, navigate to Azure Active Directory > App Registrations > Search for ProxyIdentityExperienceFramework app > API permissions, below permission is added:
If this permission is not added, sign-up works but sign-in fails with "Invalid username or password." error and in Azure AD Sign-in Activities, below error is logged:
Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for the answer!
Unfortunately, it still behaves the same, I Triple checked the ProxyIdentityExperienceFrameworkAppId and IdentityExperienceFrameworkAppId in the Extensions xml, and they are good.
I checked the permission for user_impersonation
And it looks okay to me. Anything else in mind I can check that might be causing this?
@Danilo Popovikj • Do you see any failure events in Azure AD Sign-in activities, corresponding to "Invalid username or password." error?
Nope, it shows as success, weird..
@Danilo Popovikj • That is strange. Is it a new setup or was it working earlier?
If it is a new setup and never worked, I would suggest you deploy the Custom Policy starter pack using https://aka.ms/iefsetup and test again.
Yes, it never worked, I have deployed the starter pack, created a fresh user from there and sign in still doesn't work. This leads me to beleive that it's something to do with configuring AD B2C in the portal. I deleted the applications ProxyIdentityFrameworkExperience and IdentityFrameworkExperience, and set them up again, and it still doesn't work.
Stuck on this for a week now, and don't know what to try anymore.
Fixed it. I deleted the apps, and ran this tool https://aka.ms/iefsetup
Then just re-uploaded my custom policies with new App Ids, and Sign In works now.
Thank you very much.
@Danilo Popovikj • Great! Thanks for the update.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 21%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
is it safe to use this tool ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
I'm having the exact same issue. I really don't want to use the URL above to generate the identity and proxy apps. @Danilo Popovikj , do you have any idea what the issue was with the apps? I even tried creating them in the Azure AD blade rather than B2C yesterday but that didn't seem to help anything. The system seems to think my login is successful, and in Application Insights I just see
"Statebag": {
"ValidationResponse": {
"ContentType": "Json",
"Created": "2023-05-03T03:02:29.338947Z",
"Key": "ValidationResponse",
"Persistent": true,
"Value": "<REDACTED>"
},
"Complex-CLMS": {},
"ComplexItems": "_MachineEventQ, TCTX, S_CTP, M_EXCP"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "Invalid username or password.",
"Data": {
"IsPolicySpecificError": false
}
},
"PredicateResult": "False"
Whoops, accidentally posted an answer rather than a question.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 79%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Hello, I have the same issue only when I am using UserMigrationViaLegacyIdp and AAD-WritePasswordAndFlipMigratedFlag, after the last call I have
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
And Flow gives me an Invalid username or password. But if I remove the
<ValidationTechnicalProfile ReferenceId="AAD-WritePasswordAndFlipMigratedFlag" ContinueOnError="false"> It logins the user as expected, please can you advise what is going on?
Thanks
Validation technical profiles
Only if AAD-WritePasswordAndFlipMigratedFlag called I got the same error, can you help with this? Thanks