Azure AD B2C with custom policies: Unable to authenticate user with temporary password

Question

I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.

I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.

The problem can be reproduced using the custom policies described in this guide: Get started with custom policies.

Additional information:

I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>

The problem result in the following logging:

SelfAssertedMessageValidationHandler

The message was received from null

Validation via SelfAssertedAttributeProvider

Additional validation is required...

OperativeTechnicalProfile is login-NonInteractive

Mapping 'username' partner claim type to 'signInName' policy claim type

Mapping default value 'undefined' to policy 'grant_type'

Mapping default value 'undefined' to policy 'scope'

Mapping default value 'undefined' to policy 'nca'

Mapping default value 'undefined' to policy 'client_id'

Mapping default value 'undefined' to policy 'resource_id'

Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token

Orchestration Step: 1

RA: 0

Protocol selected by the caller: OAUTH2

Communications with the caller handled by: OAuth2ProtocolProvider

IC: True

OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail

ValidationRequest:

ValidationResponse:

Exception:

Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.

Answer 1

The most common reason for this that Grant Permissions has not been executed.

On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:

Select Grant Permissions, and then confirm by selecting Yes.

Edit:

Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.