Azure AD B2C Password Reset policy without email verification step

5
votes

Is it possible to create custom policy to reset password for already known email?

I create user using Graph API and send invitation email to the specified email address.

I want user to click on the link in that email and just set password for his account.

I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace.

But I am not able to bypass email verification step in the password reset journey - when I remove it, I get 500 server error without additional detail.

I tried to send objectId for the user as input claim as well, but it does not help either.

Is there a way to skip email verification?

1
azure-ad-b2cidentity-experience-framework
Would you provide details on how you accomplished this step: I can create signed token with this email claim and send as assertion to my custom policy. So policy gets email as input claim. I see it in the trace. I'm trying to create an invitation email with a reset password link for migrated users and I can't seem to find info on how to pass email address to the password reset custom policy.Michael Schulz
My starter point was this example - github.com/Azure-Samples/active-directory-b2c-advanced-policies/…. I sent email with the signed link, and when user clicks on that link, i validated that it contains email and signature is good. Then I redirected to the custom policy.Klio
In custom policy I used client assertion to send token to the B2C, the example can be found here github.com/Azure-Samples/active-directory-b2c-advanced-policies/… in RedirectToIdentityProvider method.Klio

1 Answers

6
votes

You have the following options that vary the user experience:

  1. Display the email address as a read-only field and remove the email verification requirement.
  2. Remove the email verification step.

Display the email address as a read-only field

1) Create a readOnlyEmail claim type:

<ClaimType Id="readOnlyEmail">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <UserInputType>Readonly</UserInputType>
</ClaimType>

2) Create a claims transformation that copies from the email claim to the readOnlyEmail claim:

<ClaimsTransformation Id="CopyFromEmailToReadOnlyEmail" TransformationMethod="FormatStringClaim">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" TransformationClaimType="outputClaim" />
  </OutputClaims>
</ClaimsTransformation>

3) Add the CopyFromEmailToReadOnlyEmail claims transformation as an input claims transformation to the LocalAccountDiscoveryUsingEmailAddress technical profile and then replace the email claim type with readOnlyemail as the input and output claims for this technical profile:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <DisplayName>Reset password using email address</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CopyFromEmailToReadOnlyEmail" />
  </InputClaimsTransformations>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="readOnlyEmail" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="readOnlyEmail" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

Remove the email verification step

1) Change the first step for the PasswordReset journey from:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>

to:

<OrchestrationStep Order="1" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
  </ClaimsExchanges>
</OrchestrationStep>