Set up a force password reset flow in Azure Active Directory B2C

Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C offers two methods of defining how users interact with your applications: through predefined user flows, or through fully configurable custom policies. The steps required in this article are different for each method.

Important

Force password reset is a public preview feature of Azure AD B2C. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Overview

As an administrator, you can reset a user's password if the user forgets their password. Or you would like to force them to reset the password. In this article, you'll learn how to force a password reset in these scenarios.

When an administrator resets a user's password via the Azure portal, the value of the forceChangePasswordNextSignIn attribute is set to true. The sign-in and sign-up journey checks the value of this attribute. After the user completes the sign-in, if the attribute is set to true, the user must reset their password. Then the value of the attribute is set to back false.

Force password reset flow

The password reset flow is applicable to local accounts in Azure AD B2C that use an email address or username with a password for sign-in.

Force a password reset after 90 days

As an administrator, you can set a user's password expiration to 90 days, using MS Graph. After 90 days, the value of forceChangePasswordNextSignIn attribute is automatically set to true. For more information on how to set a user's password expiration policy, see Password policy attribute.

Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.

Prerequisites

Configure your policy

To enable the Forced password reset setting in a sign-up or sign-in user flow:

  1. Sign in to the Azure portal.
  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. In the Azure portal, search for and select Azure AD B2C.
  4. Select User flows.
  5. Select the sign-up and sign-in, or sign-in user flow (of type Recommended) that you want to customize.
  6. In the left menu under Settings, select Properties.
  7. Under Password complexity, select Forced password reset.
  8. Select Save.

Test the user flow

  1. Sign in to the Azure portal as a user administrator or a password administrator. For more information about the available roles, see Assigning administrator roles in Azure Active Directory.
  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. In the Azure portal, search for and select Azure AD B2C.
  4. Select Users. Search for and select the user you'll use to test the password reset, and then select Reset Password.
  5. In the Azure portal, search for and select Azure AD B2C.
  6. Select User flows.
  7. Select a sign-up or sign-in user flow (of type Recommended) that you want to test.
  8. Select Run user flow.
  9. For Application, select the web application named webapp1 that you previously registered. The Reply URL should show https://jwt.ms.
  10. Select Run user flow.
  11. Sign in with the user account for which you reset the password.
  12. You now must change the password for the user. Change the password and select Continue. The token is returned to https://jwt.ms and should be displayed to you.

This feature is currently only available for User Flows. For setup steps, choose User Flow above.

Next steps

Set up a self-service password reset.