Password Reset - Via either Email or Phone verification - Licensing

robcool 116 Reputation points
2022-03-17T23:18:54.953+00:00

Hi,

For federated identities with B2C, how does the password reset work ? For example; if Azure AD is configured as an identity provider in B2C then when the user logs in and tries to perform password reset I believe it always redirects the user to their Azure AD tenant to perform SSPR. Hence P1 license in Azure AD is consumed and not B2C licensing. Please confirm.

Thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,685 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,481 Reputation points Microsoft Employee
    2022-03-22T22:31:16.803+00:00

    @robcool
    Thank you for your post and I apologize for the delayed response!

    If a user needs to reset their password - for example an identity logging into B2C via an external account (Azure AD, personal account, etc.), the user should be redirected (asked) to contact their administrator to reset their password. In other words, the user (Azure AD, personal account, etc.) will need to reset their password within their specific tenant/ source of authority, which will leverage that tenant's licensing/SSPR flow. Lastly, the B2C password reset flow and password change flow only work with local B2C accounts.

    When it comes to How the password reset process works for federated identities, SSPR will check to see if the user's password is managed on-premises, such as if the Azure AD tenant is using federated, pass-through authentication, or password hash synchronization:

    • If SSPR writeback is configured and the user's password is managed on-premises, the user is allowed to proceed to authenticate and reset their password.
    • If SSPR writeback isn't deployed and the user's password is managed on-premises, the user is asked to contact their administrator to reset their password.

    For more info - SSPR FAQs

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.