Azure AD B2C Password Reset

Question

I am trying to understand how Azure AD B2C password reset is meant to be used.

It appears there are a number of ways password reset can be handled. What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C? Why does method 3 below not appear to work?

1. Via an Azure B2C user flows (policies).

   • The policy for Sign in v1 goes to AD password reset below.
   • Whilst all other policies go to B2C password reset, that allows users to reset their password via their primary email address stored in their user profile.

2. Via Azure Active Directory Self Service Password Reset. Which is accessible via https://passwordreset.microsoftonline.com. This allows the user to reset their password via any email address stored on their profile.

3. Reset password button on user profile. This provides a temporary password, however the temporary password does not seem to work.

Answer 1

AAD B2C ≠ AAD ===> AAD B2C users ≠ AAD users

Currently, we only support two ways to reset Azure AD B2C users' password in general scenario:

1. Self-service reset password(SSPR) with Azure AD B2C Password reset policy/user flow.

2. Admins help users to reset password with Azure AD Graph API:https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--

Answers to your questions:

What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C?

• Password reset policy/user flow is for AAD B2C users. You can use it directly. AAD B2C users can use this to reset their password by themselves. It's also a kind of SSPR.

• Azure Active Directory Self Service Password Reset. Generally, it's for enterprise users. As this feature is just for V1 Sign in user flow only, I don't recommend you use this way.

• Reset password button on user profile. It's for AAD (organization/enterprise) users only. Don't use this button for AAD B2C users.

Why does method 3 below not appear to work?

As I mentioned in the above, this feature is just for Azure AD users. NOT AAD B2C users. Therefore, you cannot reset B2C users' password here.

As Alex said, AAD B2C user is not Azure AD user. B2C users is for 2c senario. Normal Azure AD user is for organization/enterprise scenario.

You can also refer to my answers for What's the difference between Azure AD B2C tenant and normal Azure AD tenant?

---

More about how B2C password reset policy works:

• After clicked "forget your password" button in Signup/in policy, AAD B2C will send a message with "AADB2C90118" back to Application.

• For example, in a ASP.NET MVC Web App, then it should challenge

private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
            {
            notification.HandleResponse();
            // Handle the error code that Azure AD B2C throws when trying to reset a password from the login page 
            // because password reset is not supported by a "sign-up or sign-in policy"
            if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
            {
                // If the user clicked the reset password link, redirect to the reset password route
                notification.Response.Redirect("/Account/ResetPassword");
            }

• It means that Application will redirect it /Account/ResetPassword to the after received this message.

• /Account/ResetPassword is defined here from Account Controller. It should be determined by the password reset policy name which defined by you.

    public void ResetPassword()
            {
                // Let the middleware know you are trying to use the reset password policy (see OnRedirectToIdentityProvider in Startup.Auth.cs)
                HttpContext.GetOwinContext().Set("Policy", Startup.ResetPasswordPolicyId);

                // Set the page to redirect to after changing passwords
                var authenticationProperties = new AuthenticationProperties { RedirectUri = "/" };
                HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);

                return;
            }

• Then the user will be redirected to B2C password reset policy to change his password.

Answer 2

My experience, examples assuming that your B2C tenant is named contoso.onmicrosoft.com or just contoso.com:

• If you register [email protected] or [email protected] through a signin policy, you can only change your password via the password reset policy. You have a password only for this tenant, even if your account belongs to another AAD.
• If you manually create an account in the B2C tenant, e.g. [email protected], you can only reset the password via classic AAD methods. This would be 2) and possibly 3) in your case. You login to the B2C applications with the same password.

The only real way in my experience is to use the user flows (policies). The other two only work for the accounts that are specific to the B2C directory in question.

You have to consider that in a B2C scenario, the user's email address could also belong to a "normal" AAD user in a completely different directory (classic B2B). The two tenants/directories don't really know about each other. Even if it is not an AAD account, it could belong to users in multiple different B2C tenants. Each have a seperate password.