Azure ADB2C forgot password function - double verification issue

Jayde Nienaber 6 Reputation points
2022-08-10T05:49:01.027+00:00

We are experiencing an issue with the Azure ADB2C forgot password function. It asks you to verify your email twice, with two separate verification emails. See screenshots of the process below for reference. 229710-step-1.jpg229795-step-2.jpg229823-step-3.jpg229832-step-4.jpg229841-step-5.jpg By the second step it is telling me my email address is verified, but when I click continue it tells me “Verification is necessary” and then takes me through the whole process again.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,908 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,079 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,866 Reputation points Microsoft Employee
    2022-08-23T19:49:30.217+00:00

    Hi @Jayde Nienaber ,

    If you have MFA enabled this is the default behavior and a known issue. If you are using the SignUp-SignIn policies while resetting the password using SSPR for B2C, the default behavior for the password reset flow using SignUp-SignIn policies is that you will enter the email and password and confirm the new password. If MFA is enabled for your SignUp-SignIn policy and you try to reset the password, you will first go to the default flow for SSPR, enter your email address, receive the code sent to your email, and after you enter the code you will go to the MFA page.

    You should be able to resolve this by setting the MFA enforcement to "off."

    234099-image.png

    If this does not work or your scenario does not support this, another workaround is to have two separate policies (one for sign-up and sign-in with MFA and another for password reset with MFA disabled), or to use custom policies.

    See related:
    Verification Twice
    SocialAndLocalAccountsWithMfa

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.