Remove Email Verification Step in Password Reset Policy in Azure AD B2C

votes

I am not able to remove the email verification step in password reset. I tried adding the orchestration step to trustframeworkextensions.xml. I keep getting an error message when I upload the policy. The error is: "Error: User journey must be preceded by a claims provider selection".

I looked at similar post at Azure AD B2C Password Reset policy without email verification step. I tried the solution mentioned in Remove Verification, but still I am getting same error. Any help?

Here is the UserJourney that moved from TrustFrameworkExtensions.xml to TrustFrameworkBase.xml

<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

azure-ad-b2c

2 Answers

votes

For the email verification in the password reset policy, you could check in the Azure portal and then try to edit this policy in the portal. For the details, you can read build-in policies.

votes

Moving the userjourney from trustframeworkextensions.xml to TrustFrameworkBase.xml will fix this.

If that does not work. You try the below steps, below changes will ask for the UserName and the email from user and will be verified against the against AD.

Add the below claims

<ClaimType Id="EmailPlaceHolder"> <DisplayName>Enter your Email</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Email</UserHelpText> <UserInputType>TextBox</UserInputType> <Restriction> <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." /> </Restriction> </ClaimType>

<ClaimType Id="UserNamePlaceHolder"> <DisplayName>Enter your Username</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Username</UserHelpText> <UserInputType>TextBox</UserInputType> </ClaimType>

2.Add the below user journey

`<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>`

3.Make changes to LocalAccountDiscoveryUsingLogonName technical profile

`<TechnicalProfile Id="LocalAccountDiscoveryUsingLogonName">
  <DisplayName>Reset password using logon name</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="UserNamePlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="EmailPlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>`

4.Add/Modify the AAD-UserReadUsingLogonName technicalprofile

`<TechnicalProfile Id="AAD-UserReadUsingLogonName">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="UserNamePlaceHolder" PartnerClaimType="signInNames.userName" Required="true" />
    <InputClaim ClaimTypeReferenceId="EmailPlaceHolder" PartnerClaimType="email" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>`

If you want to add other attributes to be verified then add them to LocalAccountDiscoveryUsingLogonName and use them for validation in AAD-UserReadUsingLogonName.

PartnerClaimType="Verified.Email" is the one which will ask the user to verify the email by sending the verification code.