question

SertacYilmaz-4748 avatar image
0 Votes"
SertacYilmaz-4748 asked SertacYilmaz-4748 answered

Azure AD B2C User Flow - Reset password - Strange behaviour when trying to login with temporary password

Hi,
I created a Sign In type User Flow and both "Self-service password reset" and "Forced password reset" options are enabled.

From Azure AD B2C portal , I reset an user's password. And Portal generates a temporary password.
When an User tries to Sign In, he is redirected to Update Expired Page

So till now everything is fine as expected.

What i did was, i used temporary password for all three fields ( Password, New Password and Confirm New Password) and i submitted the form and i got an error as i expected. However, when i try to submit same form despite having error, after 5 attempts, i got this error message below and with the new session and if i try to login with old password and then i am able to login successfully.

AADB2C90157: User has exceeded the maximum number for retries for a self-asserted step.
Correlation ID: XXXX
Timestamp: 2021-08-12 15:42:32Z


Steps to reproduce
1- Reset User's password from Azure AD B2C
2- Use temporary password as new password (also in confirm new password field)
3- Click Continue in order to submit
4- Repeat step 3 at least 5 times till get an error message AADB2C90157
5- Then open login page again and use email and temporary password


Is this expected behaviour? What should i do in order to avoid this situation?

Thanks in advance.


azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @SertacYilmaz-4748 , you're only supposed to put the temporary password in the "password" section. You then have to create a new unique password for the user in the other boxes. This is resetting the password to something new. Please let me know if you have any questions.

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SertacYilmaz-4748 avatar image
0 Votes"
SertacYilmaz-4748 answered

@JamesHamil-MSFT thank you for your reply. I understand that user is supposed to put temporary password only where it is supposed to be put. But verification fails if he does not do what is not supposed to do. In my opinion, this can be good improvement. Verification should maintain, it should not fail, it should not accept temporary one after x attempts, what is currently happening.


Thank you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.