Azure AD B2C self service password reset link doesn't work

azure-ad-b2c
Riz picture Riz · Jan 6, 2017 · Viewed 17.4k times · Source

I have been able to properly setup sign-up/sign-in policy for a tenant I'm testing. I have set the Reset Password property to allow everybody to reset their password using their email. Currently the user signs up using their email (also their username), first name, and last name.

However, when I click on the "I forgot my password" link on the sign in page, it just redirects me back to the same page. Is there something I'm missing here?

Answer

Saca picture Saca · Jan 23, 2017

There are two different mechanisms for Password Reset in Azure AD B2C:

  1. Sign-in Policy: No work required by the application, clicking on "I forgot my password" redirects the user automatically to a generic Microsoft-branded password reset page.

  2. Sign-up/sign-in Policy: This requires the application to do some extra work. Clicking on "I forgot my password" redirects the user back to the application with an error code. The application needs to detect that the error code in the request and then further redirect the user to the Azure AD B2C Password Reset Policy. The Password reset policy can be customized extensively.

Going into more details as to how to implement the second approach, here's the code that hooks up into the AuthenticationFailed notification and redirects to your own PasswordReset controller action, from the B2C Sign-up/Sign-in quickstart, Startup.Auth.cs

private Task AuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
    notification.HandleResponse();

    if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
    {
        // If the user clicked the reset password link, redirect to the reset password route
        notification.Response.Redirect("/Account/ResetPassword");
    }
    else if (notification.Exception.Message == "access_denied")
    {
        // If the user canceled the sign in, redirect back to the home page
        notification.Response.Redirect("/");
    }
    else
    {
        notification.Response.Redirect("/Home/Error?message=" + notification.Exception.Message);
    }

    return Task.FromResult(0);
}

And here's the code PasswordReset controller action that redirects the user to the Password Reset B2C policy, from the same B2C Sign-up/Sign-in quickstart, Account Controller

public void ResetPassword()
{
    if (!Request.IsAuthenticated)
    {
        HttpContext.GetOwinContext().Authentication.Challenge(
        new AuthenticationProperties() { RedirectUri = "/" }, Startup.PasswordResetPolicyId);
    }
}

Just for sake of completeness, make sure you checkout the full guide/overview of setting up an Azure AD B2C Sign-up/Sign-in Policy

Related questions

Authorize By Group in Azure Active Directory B2C

I am trying to figure out how to authorize using groups in Azure Active Directory B2C. I can Authorize via User, for example: [Authorize(Users="Bill")] However, this is not very effective and I see very few use-cases for …

Read More
Azure Portal: Bad Request - Request Too Long

I just received the following error when I tried to run a built-in b2c edit policy from portal.azure.com. I have 2 tabs of the portal open. Why am I receiving this error? Bad Request - Request Too Long …

Read More
Azure AD vs Azure AD B2C vs Azure AD B2B

Before Azure AD B2C and Azure AD B2B come into the picture, usualy I added my applications to Azure AD of our tenancy and office 365 users could access the applications using their account (SSO). I am not a …

Read More