We leverage Azure AD B2C in our solution with a "sign up or sign in" policy. On a regular basis (I have not counted the exact number of days), when I try to login, I got : "invalid username or password". I have to reset my password to make it work.
So I have two questions :
Is there a default password expiration policy? One of the feature request on Azure B2C Connect is to enable the definition of such custom expiration policy but I have not found in the documentation the fact that a default one was in place. Is there any way to remove this default behavior (i.e. no expiration)?
The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that ?
Thx !
Is there a default password expiration policy?
NOTE:Local accounts can only be created by sign-up or AAD Graph API. You cannot create it by clicking New users in AAD which is a B2C tenant.
There is no password expiration policy for local accounts by default. Azure AD B2C's sign-up, sign-up or sign-in and password reset policies use the "strong" password strength and don't expire any passwords for local accounts in Azure AD B2C. You can see this in this FAQ.
Howerver, there are also some conditions which you may come across the B2C local account users password expiration.
Defaultly, if a local account is created by built-in password policy, then this policy sets the passwordPolicies
property to DisablePasswordExpiration
. So the passwords of B2C local users won't expire.
However, if a local account is created by either a custom policy or Azure AD Graph API, then you have to set the passwordPolicies
property to be DisablePasswordExpiration
manually.
So, If your local users' passwords may expire after 90 days without notification if you don't set the property of the Password policy to be DisablePasswordExpiration
.
Is there any way to remove this default behavior (i.e. no expiration)? The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that?
You can refer to this example to create B2C local users without password expiration via AAD Graph API:
POST https://graph.windows.net/contosob2c.onmicrosoft.com/users?api-version=1.6
Authorization: Bearer eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJod...
Content-Type: application/json
Content-Length: 338
{
// All of these properties are required to create consumer users.
"accountEnabled": true,
"signInNames": [ // controls which identifier the user uses to sign in to the account
{
"type": "emailAddress", // can be 'emailAddress' or 'userName'
"value": "joeconsumer@gmail.com"
}
],
"creationType": "LocalAccount", // always set to 'LocalAccount'
"displayName": "Joe Consumer", // a value that can be used for displaying to the end user
"mailNickname": "joec", // an email alias for the user
"passwordProfile": {
"password": "P@ssword!",
"forceChangePasswordNextLogin": false // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"
}
Update the Password Polices's property of affected users to be DisablePasswordExpiration
with PATCH
method via AAD Graph API, you can refer to this documentation to update your b2c users.
Ask all affected B2C users to change their passwords.
The password expiration depends on the Identity provider's password policy. AAD can also be an identity provider in AAD B2C.
AAD Password Expiration policies that apply only to work or school accounts. The available password policy settings that can be applied to user accounts that are created and managed in Azure AD.
So, if you make the AAD as a social account for the AAD B2C, the Password Expiration policies will affect those social accounts.
If your account is a social account in Azure AD, connect to that Tenant using your company administrator credentials. Execute one of the following commands:
To set the password of one user to never expire, run the following cmdlet by using the user principal name (UPN) or the user ID of the user: Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true
To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
You can see more details about Password Policy in Azure AD in this document.