Azure AD B2C Password reset policy with alternate email address

2
votes

I created a password reset policy and I am using username for the identity provider for local account.

The password reset screen asking for username and email address. What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.

I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.

Does anyone know where to set it? enter image description here enter image description here

1
azureazure-web-app-serviceazure-ad-b2c

1 Answers

0
votes

What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.

Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.

Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.

The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.