azureazure-active-directoryazure-ad-b2c

Azure AD B2C password expiration


We leverage Azure AD B2C in our solution with a "sign up or sign in" policy. On a regular basis (I have not counted the exact number of days), when I try to login, I got : "invalid username or password". I have to reset my password to make it work.

So I have two questions :

Thx !


Solution

  • Is there a default password expiration policy?

    For B2C Local accounts:

    NOTE:Local accounts can only be created by sign-up or AAD Graph API. You cannot create it by clicking New users in AAD which is a B2C tenant.

    There is no password expiration policy for local accounts by default. Azure AD B2C's sign-up, sign-up or sign-in and password reset policies use the "strong" password strength and don't expire any passwords for local accounts in Azure AD B2C. You can see this in this FAQ.

    Howerver, there are also some conditions which you may come across the B2C local account users password expiration.

    So, If your local users' passwords may expire after 90 days without notification if you don't set the property of the Password policy to be DisablePasswordExpiration.

    Is there any way to remove this default behavior (i.e. no expiration)? The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that?

    Resolution for local accounts:

    1. You can refer to this example to create B2C local users without password expiration via AAD Graph API:

      POST https://graph.windows.net/contosob2c.onmicrosoft.com/users?api-version=1.6
      Authorization: Bearer eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJod...
      Content-Type: application/json
      Content-Length: 338
      {
      // All of these properties are required to create consumer users.
      "accountEnabled": true,
      "signInNames": [                            // controls which identifier the user uses to sign in to the account
          {
              "type": "emailAddress",             // can be 'emailAddress' or 'userName'
              "value": "joeconsumer@gmail.com"
          }
      ],
      "creationType": "LocalAccount",            // always set to 'LocalAccount'
      "displayName": "Joe Consumer",                // a value that can be used for displaying to the end user
      "mailNickname": "joec",                        // an email alias for the user
      "passwordProfile": {
          "password": "P@ssword!",
          "forceChangePasswordNextLogin": false   // always set to false
      },
      "passwordPolicies": "DisablePasswordExpiration"
      }
      
    2. Update the Password Polices's property of affected users to be DisablePasswordExpiration with PATCH method via AAD Graph API, you can refer to this documentation to update your b2c users.

    3. Ask all affected B2C users to change their passwords.


    For Social accounts:

    The password expiration depends on the Identity provider's password policy. AAD can also be an identity provider in AAD B2C.

    AAD Password Expiration policies that apply only to work or school accounts. The available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

    So, if you make the AAD as a social account for the AAD B2C, the Password Expiration policies will affect those social accounts.

    Resolution for AAD social accounts:

    If your account is a social account in Azure AD, connect to that Tenant using your company administrator credentials. Execute one of the following commands:

    1. To set the password of one user to never expire, run the following cmdlet by using the user principal name (UPN) or the user ID of the user: Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true

    2. To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

    You can see more details about Password Policy in Azure AD in this document.