Azure AD B2C - Forgot Password User Journey - Don't Allow old password?

0
votes

I'm building an Azure AD B2C configuration based on custom policies. Sign in, profile edit, password change, etc. are already working as wanted.

But currently I'm struggling with the password forgot policy. I want to achieve that the new password does not equal to old one. Google and the Microsoft docs always give me examples for password changes. When I change the password, I have to enter the old one and the new one. Then I'm able to compare the old and the new one. For example like the way discribed here

But when a user has forgotten his password, then he is - of course - not able to enter the old password to compare it with the new one.

Is there any way to build a real password forgot policy without entering the old password but nevertheless ensure that the new password does not equal the old password?

Thanks in advance!

Alex

1
azureazure-ad-b2cazure-ad-b2c-custom-policy

1 Answers

0
votes

You can do it with some logic with Validation Technical profiles:

  1. Call login-noninteractive with continueOnError=true
  2. Call a claimTransform to generate a boolean if a claim (like objectId) is null
  3. Use the boolean for the proceeding logic, lets call it pwdIsLastPwd
  4. Call a claimTransform to assert pwdIsLastPwd = false
  5. If it is true, throw an error - "you cannot use this password" using the claimTransform error handler
  6. Continue with the rest of reset password flow

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile#validationtechnicalprofiles
  2. Call Claim transform from VTP, Boolean ClaimTransform check if claim exists
  3. Assert boolean is true/false
  4. "The UserMessageIfClaimsTransformationBooleanValueIsNotEqual self-asserted technical profile metadata controls the error message that the technical profile presents to the user. "