I am creating new users in Azure AD B2C using the graph client api. The json i send to the api looks like the following:
{
"creationType": "LocalAccount",
"passwordProfile": {
"password": "a:898;keJPpN/69X",
"forceChangePasswordNextLogin": true
},
"passwordPolicies": "DisablePasswordExpiration",
"objectId": null,
"accountEnabled": true,
"displayName": "John Doe",
"mailNickname": "john.doe",
"signInNames": [
{
"type": "emailAddress",
"value": "[email protected]"
}
]
}
The user is then created correctly. However, once I try to login with the newly created user using the flow "Sign in v2", I get the following error message: Invalid username or password.
Looking at the sign-in attempts, the failed attempt all failed with
Status: Interrupted
Sign-in error code: 50055
Failure reason: Invalid password, entered expired password.
Starting a "Password reset v2"-flow by clicking "Forgot your password?" does correctly trigger a password reset flow with email confirmation. After entering the sent confirmation code and setting a new password, the login works as expected.
If I set the "forceChangePasswordNextLogin" : false
, the first login works as expected. However, in this case the user is not forced to change his one-time-password. So this is not really an option.
Also interesting: When using the flow "Sign in" (without v2), everything works as expected and the user is forced to change the password on the first login. However, as this flow does not support custom styling, this is also not an option.
What do I have to do to get the "Sign in v2" flow to correctly trigger a password change on the first login of a user?
On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch. In the Azure portal, search for and select Azure AD B2C. Select Users. Search for and select the user you'll use to test the password reset, and then select Reset Password.
Only the user, or an administrator in External Azure AD, can reset the password.
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Rather than setting passwordProfile.forceChangePasswordNextLogin to true
, you can create a custom attribute (e.g. ForceResetPasswordNextLogin), set this to true
when you create the local account, and then issue this as an application claim from the sign-in policy to your B2C application. After sign-in, if it is set to true
, then your B2C application can initiate the password reset policy. After password reset, then your B2C application can set it to false
.
You can otherwise consider a custom policy from the starter pack that includes a password change step.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With