question

SteveDegenhardt-8910 avatar image
6 Votes"
SteveDegenhardt-8910 asked SamShinn-6845 answered

Unable to sign on using custom policy

I have followed all the steps here (https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started) in order to create a custom policy. I am able to create an account, but when I attempt to log in I receive the "Invalid username or password" message. I am able to use that account to log in using the built-in user flows but not the custom policies. Unfortunately, the documentation does not show full examples, but after re-reading this about 1000 times I think I am doing this correctly. If anyone has any suggestions on how to debug the issue or what I might be doing incorrectly, please let me know.

azure-ad-b2c
· 11
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

9 Answers

alfredorevilla-msft avatar image
1 Vote"
alfredorevilla-msft answered TravisJohnson-8657 commented

In your IdentityExperienceFramework app manifest:

Change:

"accessTokenAcceptedVersion": 2,

To (default value):

"accessTokenAcceptedVersion": null,


Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisJohnson-8657 avatar image TravisJohnson-8657 ·

I am experiencing the same issue, but I cannot set accessTokenAcceptedVersion to null. If I try, I get the error:

"Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [Qlq/E]"

Is there another workaround?

1 Vote 1 ·
alfredorevilla-msft avatar image alfredorevilla-msft TravisJohnson-8657 ·

Ensure the following value is set:

"signInAudience": "AzureADandPersonalMicrosoftAccount"

0 Votes 0 ·
Peter-1627 avatar image Peter-1627 alfredorevilla-msft ·

its already there.

3 Votes 3 ·
Show more comments
BhavikBarve-9922 avatar image BhavikBarve-9922 alfredorevilla-msft ·

App manifest doc says 'If signInAudience is AzureADandPersonalMicrosoftAccount, the value [of accessTokenAcceptedVersion] must be 2.' (accessTokenAcceptedVersion attribute)

Im using same tenant local accounts only and was able to run custom policies by setting:
"signInAudience": "AzureADMyOrg" (signInAudience attribute) and
accessTokenAcceptedVersion": null

@Peter-1627 @TravisJohnson-8657


0 Votes 0 ·
Peter-1627 avatar image Peter-1627 TravisJohnson-8657 ·

Same here!

Failed to update IdentityExperienceFramework application. Error detail: Property accessTokenAcceptedVersion is invalid. [hd++9]

0 Votes 0 ·
SteveDegenhardt-8910 avatar image SteveDegenhardt-8910 ·

@alfredo-revilla-msft This resolved the issue. I have no idea how this would have been set (I did not edit the manifest directly), so probably something I changed in the UI and when I changed it back it failed to update. But this worked. Thank you for your assistance.

0 Votes 0 ·
alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered Peter-1627 commented

Please take a look to Get started with custom policies in Azure Active Directory B2C. It covers the basic setup, authenticating with local (Azure AD B2C directory) accounts and facebook accounts.


· 17
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SteveDegenhardt-8910 avatar image SteveDegenhardt-8910 ·

That is the documentation that I am following. I have read through it probably 20 times now, still cannot get it to work. I don't know where to go for assistance or debugging the issue. The only thing I can do is to follow that page over and over again in order to get the same result, lol.

Typically the issue has to do with the Proxy or Identity in the Extensions, but I have checked that over and over and it appears correct to me.

2 Votes 2 ·
alfredorevilla-msft avatar image alfredorevilla-msft SteveDegenhardt-8910 ·

Please share your policies to review them.

0 Votes 0 ·
Peter-1627 avatar image Peter-1627 SteveDegenhardt-8910 ·

I have read through it probably 2000 times now!!! still cannot get it to work!!!

0 Votes 0 ·
SteveDegenhardt-8910 avatar image SteveDegenhardt-8910 ·

I have enclosed those below, thanks!

0 Votes 0 ·
alfredorevilla-msft avatar image alfredorevilla-msft SteveDegenhardt-8910 ·

Shared policies are fine. What OAuth2 flow are you using? Authorization, implicit or ROPC? Please share additional error details if available (request or correlation id) and/or follow the steps detailed in Collect Azure Active Directory B2C logs with Application Insights and share generated logs.


0 Votes 0 ·
SteveDegenhardt-8910 avatar image SteveDegenhardt-8910 alfredorevilla-msft ·

Sorry Alfredo, I did not see this message, I have been checking the bottom of this issue for updates and did not realize you posted to a thread.

We are simply trying to run the policy from Azure B2C. We have App Insights logging turned on, but not receiving anything of much use.

0 Votes 0 ·
Show more comments
SatheeshKumar-7817 avatar image
2 Votes"
SatheeshKumar-7817 answered SatheeshKumar-7817 edited

@alfredorevilla-msft Similar issue as mentioned by others 1. Created custom policy 2. Able to run policy "B2C_1A_signup_signin" and create user 3. Post signup token created successfully and redirected to jwt.ms and able to see the created username in the token. 4. When i try to signin with the same created user it shows error message "The username or password provided in the request are invalid." 5. I could able to login with the newly created user through "Userflows"

Read the document several times, deleted and recreated the two app(proxy and identityexp framework) registers mentioned in the documentation no success.

Any help would be appreciated.63218-b2c-insights-query-data.txt



b2c-insights-query-data.txt (22.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SharadTaur-5565 avatar image
2 Votes"
SharadTaur-5565 answered

@alfredorevilla-msft ....any luck on this issue....i have followed every step of documentation but still not able to sign in using Custom Policy....it works for sign up but not for sign in

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NHering22101 avatar image
1 Vote"
NHering22101 answered

@alfredorevilla-msft same issue here with code flow. Any updates?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlmeidaRodneyCorp-0829 avatar image
0 Votes"
AlmeidaRodneyCorp-0829 answered

Same issue, testing SignUpOrSignin.xml custom policy and can create local users ok but cannot login

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TrungNguyen-2772 avatar image
0 Votes"
TrungNguyen-2772 answered RadovanKonarevi-9358 commented

Same issue. I was testing B2C_1A_SIGNUP_SIGNIN and I could create user but could not login.
Then I read the document again and found out that "allowPublicClient": null, so I updated it as the document then I worked.
Hope that helps!

127788-image.png



image.png (66.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RadovanKonarevi-9358 avatar image RadovanKonarevi-9358 ·

Was already set up

0 Votes 0 ·
RadovanKonarevi-9358 avatar image
1 Vote"
RadovanKonarevi-9358 answered

I had the same issue. The change that resolved it that I deleted IdentityExperienceFramework and ProxyIdentityExperienceFramework applications created under b2c "blade" (weird name), and created them under AAD. That means that before doing this step https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-identityexperienceframework-application and this one https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-proxyidentityexperienceframework-application navigate to AAD and then to App registrations

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamShinn-6845 avatar image
0 Votes"
SamShinn-6845 answered

When initially trying to upload TrustFrameworkBase.xml I received a validation error. I went looking around in that file and in the <TechnicalProfile Id="login-NonInteractive"> section I found these items:

<Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>

"Well that looks weird," I thought, "I'll try replacing {tenant} with my tenant name." Boom, no validation error! No mention of it in the tutorial, but oh well—it works, so, moving on...

Later, I run into the principle problem of this thread where sign up works but not sign in. After trying many things, I wondered about my "fix" for that validation error. So...

I switched the METADATA and authorization_endpoint URLs back to the default (as above) and uploaded the file with the Overwrite the custom policy if it already exists checkbox selected. No validation issues. Weird. But Ok, great, let's try signing in... Lo and behold, that seemed to do the trick: Sign in works now.

Hopefully sharing this helps someone else ♥

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.