question

vijayasaharan avatar image
0 Votes"
vijayasaharan asked ·

azure ad b2c Prevent Password reuse

I am trying to send the password as part of output claims but it never comes up. I tried to create a new extension variable and do a tranformation copy claim but that didnt work either.

I would like to hash the password and store it in external system to work around the issue of not repeating password as thats a security requirement.
If I try to add <OutputClaim ClaimTypeReferenceId="password" />

as part of <TechnicalProfile Id="login-NonInteractive">

and the whole login screen stops working.

Please let me know if I am missing something and also on how to hash the password to send it to an external RestAPI Technical profile







azure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

Is your requirement to prevent them from re-using their last password, or to prevent them from ever repeating the same password again?

The best way to prevent password re-use in b2c is this custom policy for scenarios where you need to implement a password reset/change flow where the user cannot use their currently set password:

https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-not-last-password

As of now we do not support enforcing password history in B2C. You can create a banned passwords list but there isn't an out-of-the-box recommended way to do what you are asking. We recommend instead using Azure MFA to secure the accounts. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34839976-aadb2c-password-history-policy

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vijayasaharan avatar image
0 Votes"
vijayasaharan answered ·

Hi Marilee
My requirement is prevent users from entering last 5 passwords.
I am using a custom policy but microsoft recommends using external system to store password if we need to do check against previous 5 passwords. Its a security mandate that I cant go around so I have to store the passwords externally.

My questions is how I can add passwords as part of output claims as the policy doesn't seem to accept it or may be I am not doing it right

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AjithAlexander-5253 avatar image
0 Votes"
AjithAlexander-5253 answered ·

@vijayasaharan, yes, it's likely that you're running into trouble with the policy definitions. Here's a post that you might find helpful: https://www.whoiam.ai/implementing-password-history-in-azure-ad-b2c/

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.