Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD B2C Password Reset policy without email verification step

Tags:

azure-ad-b2c

identity-experience-framework

Is it possible to create custom policy to reset password for already known email?

I create user using Graph API and send invitation email to the specified email address.

I want user to click on the link in that email and just set password for his account.

I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace.

But I am not able to bypass email verification step in the password reset journey - when I remove it, I get 500 server error without additional detail.

I tried to send objectId for the user as input claim as well, but it does not help either.

Is there a way to skip email verification?

like image 784
Klio Avatar asked Apr 19 '18 14:04

Klio

People also ask

How do I change my Azure B2C password?

On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch. In the Azure portal, search for and select Azure AD B2C. Select Users. Search for and select the user you'll use to test the password reset, and then select Reset Password.

How do I enforce an Azure AD password policy?

To change the Azure AD Password Protection settings we will need to open the Azure AD portal: Go to portal.azure.com. Open the Azure Active Directory. Click on Security > Authentication Methods >Password Protection.

Who can reset passwords in Azure AD?

By default, Azure AD enables self-service password reset for admins. They're required to use two authentication methods to reset their password.

1 Answers

You have the following options that vary the user experience:

  1. Display the email address as a read-only field and remove the email verification requirement.
  2. Remove the email verification step.

Display the email address as a read-only field

1) Create a readOnlyEmail claim type:

<ClaimType Id="readOnlyEmail">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <UserInputType>Readonly</UserInputType>
</ClaimType>

2) Create a claims transformation that copies from the email claim to the readOnlyEmail claim:

<ClaimsTransformation Id="CopyFromEmailToReadOnlyEmail" TransformationMethod="FormatStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

3) Add the CopyFromEmailToReadOnlyEmail claims transformation as an input claims transformation to the LocalAccountDiscoveryUsingEmailAddress technical profile and then replace the email claim type with readOnlyemail as the input and output claims for this technical profile:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <DisplayName>Reset password using email address</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CopyFromEmailToReadOnlyEmail" />
  </InputClaimsTransformations>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="readOnlyEmail" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

Remove the email verification step

1) Change the first step for the PasswordReset journey from:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>

to:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>
like image 103
Chris Padgett Avatar answered Oct 01 '22 17:10

Chris Padgett
Sign in to Comment

Related questions

Hybrid authentication scenario - Azure AD B2C and Azure AD
Validating B2C JWT tokens in Asp.Net Core Web Api
Programmatic (API calls) User Authentication using Azure AD B2C instead of login.microsoftoneline.com form
Azure AD B2C - MSAL JS - Refreshing token yields AADB2C90055
Changing B2C Reply URL from "signin-oidc" to something else does not work
How to get an error log in Azure AD B2C tenant with correlation ID?
Azure AD B2C application vs Azure App Registration app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!