Skip to content

Latest commit

 

History

History
124 lines (86 loc) · 6.39 KB

force-password-reset.md

File metadata and controls

124 lines (86 loc) · 6.39 KB
title titleSuffix description services author manager ms.service ms.workload ms.topic ms.date ms.author ms.subservice zone_pivot_groups
Configure a force password reset flow in Azure AD B2C
Azure AD B2C
Learn how to set up a forced password reset flow in Azure Active Directory B2C.
active-directory-b2c
msmimart
celestedg
active-directory
identity
how-to
06/10/2021
mimart
B2C
b2c-policy-type

Set up a force password reset flow in Azure Active Directory B2C

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

Overview

As an administrator, you can reset a user's password if the user forgets their password. Or you would like to force them to reset the password. In this article, you'll learn how to force a password reset in these scenarios.

When an administrator resets a user's password via the Azure portal, the value of the forceChangePasswordNextSignIn attribute is set to true. The sign-in and sign-up journey checks the value of this attribute. After the user completes the sign-in, if the attribute is set to true, the user must reset their password. Then the value of the attribute is set to back false.

Force password reset flow

The password reset flow is applicable to local accounts in Azure AD B2C that use an email address or username with a password for sign-in.

::: zone pivot="b2c-user-flow"

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites]

Configure your user flow

To enable the Forced password reset setting in a sign-up or sign-in user flow:

  1. Sign in to the Azure portal.
  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. In the Azure portal, search for and select Azure AD B2C.
  4. Select User flows.
  5. Select the sign-up and sign-in, or sign-in user flow (of type Recommended) that you want to customize.
  6. In the left menu under Settings, select Properties.
  7. Under Password configuration, select Forced password reset.
  8. Select Save.

Test the user flow

  1. Sign in to the Azure portal as a user administrator or a password administrator. For more information about the available roles, see Assigning administrator roles in Azure Active Directory.
  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
  3. In the Azure portal, search for and select Azure AD B2C.
  4. Select Users. Search for and select the user you'll use to test the password reset, and then select Reset Password.
  5. In the Azure portal, search for and select Azure AD B2C.
  6. Select User flows.
  7. Select a sign-up or sign-in user flow (of type Recommended) that you want to test.
  8. Select Run user flow.
  9. For Application, select the web application named webapp1 that you previously registered. The Reply URL should show https://jwt.ms.
  10. Select Run user flow.
  11. Sign in with the user account for which you reset the password.
  12. You now must change the password for the user. Change the password and select Continue. The token is returned to https://jwt.ms and should be displayed to you.

Force password reset on next login

To force reset the password on next login, update the account password profile using MS Graph Update user operation. The following example updates the password profile forceChangePasswordNextSignIn attribute to true, which forces the user to reset the password on next login.

PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
Content-type: application/json

{
"passwordProfile": {
  "forceChangePasswordNextSignIn": true
}

Once the account password profile has been set, you must also configure force password reset flow, as described in this article.

Force a password reset after 90 days

As an administrator, you can set a user's password expiration to 90 days, using MS Graph. After 90 days, the value of forceChangePasswordNextSignIn attribute is automatically set to true. To force a password reset after 90 days, remove the DisablePasswordExpiration value from the user's profile Password policy attribute.

The following example updates the password policy to None, which forces a password reset after 90 days:

PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
Content-type: application/json

{
  "passwordPolicies": "None"
}

If you disabled the strong password complexity, update the password policy to DisableStrongPassword:

PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
Content-type: application/json

{
  "passwordPolicies": "DisableStrongPassword"
}

Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.

Password expiry duration

The password expiry duration default value is 90 days. The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure.

::: zone-end

::: zone pivot="b2c-custom-policy"

This feature is currently only available for User Flows. For setup steps, choose User Flow above. For custom policies, use the force password reset first logon GitHub sample.

::: zone-end

Next steps

Set up a self-service password reset.