3,286 questions
Should Azure AD B2C User Flows still reject passwords containing the substring ".@"?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
Geoff Crossland (Cosworth)
1
Reputation point
According to the Azure AD B2C password complexity documentation (http://aka.ms/b2cpasswordcomplexity), passwords can contain "any letter, number, or symbol".
However, if I try to use, say, a Sign up User flow to create an account, passwords containing the substring ".@" are rejected (with a slightly misleading error message). The root cause seems to be that cpimcore.onmicrosoft.com's 'B2CTrustFrameworkBaseV2' policies still use (in the 'AllowedAADCharacters' predicate) a regexp that excludes ".@" (see (?!@)).
In the past, Azure AD strong passwords could not contain the substring ".@" (https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx#password-policies-that-apply-only-to-cloud-user-accounts). Today, this restriction is conspicuously absent (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts); also, if I work around the below issue, I can successfully create Azure AD B2C accounts with passwords containing the substring ".@", so it looks like that absence is intentional.
Reproduction:
- In Azure Portal, go to the overview page for Azure AD B2C (for some regular tenant that is set up to run User flows).
- Go to User flows.
- Use an existing e.g. Sign up User flow with Strong password complexity.
OR
Create a new User flow.- Select New user flow. Select e.g. Sign up, select Recommended and select Create.
- Enter name e.g. 'pwdtest', select Email signup and select Create.
- Select the user flow and select Run user flow. Select Run user flow.
- Enter an accessbile e-mail address. Select Send verification code. When the code arrives, enter it and select Verify code.
- Enter twice a valid password containing ".@" e.g. "Aaaaaaa0.@"
- Select Create. Both password boxes are annotated with the error message "An invalid character was provided.". <- BUG?
Expected behaviour:
- Sign up (and password reset) should accept passwords containing the substring ".@".
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator2022-07-28T03:41:26.217+00:00 Hello @Geoff Crossland (Cosworth) , I'm reaching the B2C team about this and will come back to you ASAP.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 18%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Saravana Palanisamy 0 Reputation points2024-06-05T04:57:50.72+00:00 Any update on the pattern .@ is not accepted in the pasword?
Sign in to comment
Sign in to answer