question

SaqibAhmed-1948 avatar image
2 Votes"
SaqibAhmed-1948 asked PaulBaker-9299 commented

Azure B2C password reset from Azure Blade provides "The password has expired."

We need some users to have the user Administrator role so they can rest passwords of the consumer account but once the password is reset from the Azure B2C user blade does not work and when logging in with the new supplied password user receives "The password has expired."

What should be the way forward?

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered PaulBaker-9299 commented

Hello @SaqibAhmed-1948


This is expected. When you reset the password using admin account from Azure AD Portal, a temporary password is generated which is marked as expired and requires the user to provide a new password. Since, in B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password of consumer accounts.


You may consider using one of the below custom policies:


Force password reset first logon


Force password after 90 days



Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.



· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @amanpreetsingh-msft - thanks for the reply.

Given that "In B2C, administrator accounts cannot be used to reset password of consumer accounts." - then how could we implement a flow where the customer support team could reset the password of a user? Does B2C only supports self-service password reset?

Thanks,

Mau

2 Votes 2 ·

I agree - it should be easier to configure B2C to allow support teams and administrators to reset passwords on behalf of the user. This is a very common use case.

1 Vote 1 ·

@amanpreetsingh-msft - is there any work being done to make it easier for support teams or administrators to reset users passwords, please? If not, how should we place a request for that?

1 Vote 1 ·

@SaqibAhmed-1948 Please let me know if the answer helped. Feel free to tag me in your reply, if you any question.

1 Vote 1 ·

Hi Aman

Indeed it was. thanks

1 Vote 1 ·

@SaqibAhmed-1948 Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


1 Vote 1 ·

Hi Aman,

If the expected result is for Azure AD to create an expired password, why does it say "...will be assigned a temporary password that must be changed on the next sign in." and "Provide this temporary password to the user so they can sign in."?

124788-azure-password-error.jpg

Thanks,
Paul


1 Vote 1 ·

@amanpreetsingh-msft
does this links saying the same which you said!
https://docs.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-custom-policy#overview

my scenario is that i have created user using graph API setting an initial "password" and it is login successfully using this password, what i want now is that at his first login he should be asked to reset his password.

what should i do do make it functional(i don't need to reset user password from azure portal)
user himself should reset it on his first longin.

any help will be appreciated.

0 Votes 0 ·

yes i have seen that answer thanks a lot, ill try and test that and get back to u...currently i have an other question that is i want to create users from different tenants using graph API, what ate the steps...as i am able to create local and work accounts successfully but they are only within the tenant with which graph api is listening to.

0 Votes 0 ·
gdxyz avatar image
0 Votes"
gdxyz answered

Thanks for creating the force password reset policy it was very helpful.

However, why the decision to create these json key/values that don't follow a specific graph API schema? we now have to be aware to publish this json property "extension_YOURAPPIDGUIDWITHOUTDASHES_mustResetPassword".

The downstream effects are pretty heavy... for example:

In terms of creating api wrappers, etc this become difficult if it's not part of a schema. Also we lose intellisense and difficult to create documentation for.

In our situation we have a c# class that is serialized and pushed to the API endpoint, we now have to add a property "extension_YOURAPPIDGUIDWITHOUTDASHES_mustResetPassword" (and/or make use of the json property attrib). Even worse if you have mutiple environments / Azure AD applications.

Wouldn't it be cleaner to create a "applicationExtensionAttributes" (as an example) as part of the schema:

 {
     "objectId": null,
     "accountEnabled": true,
     "applicationExtensionAttributes": {
         "applications": [{
             "id": "GUID-1",
             "attributes": [{
                     "key": "mustResetPassword",
                     "value": true
                 },
                 {
                     "key": "whatEverIWant",
                     "value": "can go here"
                 }
             ]
         }]
     }
 }


Thank you!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MartinRhodes-6042 avatar image
0 Votes"
MartinRhodes-6042 answered

It is possible to set a new password using the following Powershell cmdlet - although this is a workaround that is far from ideal

 Connect-AzureAD -TenantId <tenantId>
 $Password = ConvertTo-SecureString -String "TheNewPassword" -Force –AsPlainText
 Set-AzureADUserPassword -ObjectId <userId> -Password $Password
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.