question

Is your requirement to prevent them from re-using their last password, or to prevent them from ever repeating the same password again?

The best way to prevent password re-use in b2c is this custom policy for scenarios where you need to implement a password reset/change flow where the user cannot use their currently set password:

https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-not-last-password

As of now we do not support enforcing password history in B2C. You can create a banned passwords list but there isn't an out-of-the-box recommended way to do what you are asking. We recommend instead using Azure MFA to secure the accounts. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34839976-aadb2c-password-history-policy

Hi Marilee
My requirement is prevent users from entering last 5 passwords.
I am using a custom policy but microsoft recommends using external system to store password if we need to do check against previous 5 passwords. Its a security mandate that I cant go around so I have to store the passwords externally.

My questions is how I can add passwords as part of output claims as the policy doesn't seem to accept it or may be I am not doing it right

@vijayasaharan, yes, it's likely that you're running into trouble with the policy definitions. Here's a post that you might find helpful: https://www.whoiam.ai/implementing-password-history-in-azure-ad-b2c/