stackoom
  简体   繁体   中英

Azure AD B2C password expiration

 原文  2017-11-01 09:14:03       azure/ azure-active-directory/ azure-ad-b2c

Question

We leverage Azure AD B2C in our solution with a "sign up or sign in" policy. On a regular basis (I have not counted the exact number of days), when I try to login, I got : "invalid username or password". I have to reset my password to make it work.

So I have two questions :

  • Is there a default password expiration policy ? One of the feature request on Azure B2C Connect is to enable the definition of such custom expiration policy but I have not found in the documentation the fact that a default one was in place. Is there any way to remove this default behavior (ie no expiration)?

  • The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that ?

Thx !

1 answers

solution1
 4 ACCPTED  2017-11-02 02:41:16

Is there a default password expiration policy?

For B2C Local accounts:

NOTE:Local accounts can only be created by sign-up or AAD Graph API. You cannot create it by clicking New users in AAD which is a B2C tenant.

There is no password expiration policy for local accounts by default. Azure AD B2C's sign-up, sign-up or sign-in and password reset policies use the "strong" password strength and don't expire any passwords for local accounts in Azure AD B2C. You can see this in this FAQ .

Howerver, there are also some conditions which you may come across the B2C local account users password expiration.

  • Defaultly, if a local account is created by built-in password policy, then this policy sets the passwordPolicies property to DisablePasswordExpiration . So the passwords of B2C local users won't expire.

  • However, if a local account is created by either a custom policy or Azure AD Graph API, then you have to set the passwordPolicies property to be DisablePasswordExpiration manually.

So, If your local users' passwords may expire after 90 days without notification if you don't set the property of the Password policy to be DisablePasswordExpiration .

Is there any way to remove this default behavior (ie no expiration)? The message "invalid username or password" is misleading and should be "your password has expired". Any way to change that?

Resolution for local accounts:

  1. You can refer to this example to create B2C local users without password expiration via AAD Graph API: 

     POST https://graph.windows.net/contosob2c.onmicrosoft.com/users?api-version=1.6 Authorization: Bearer eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJod... Content-Type: application/json Content-Length: 338 { // All of these properties are required to create consumer users. "accountEnabled": true, "signInNames": [ // controls which identifier the user uses to sign in to the account { "type": "emailAddress", // can be 'emailAddress' or 'userName' "value": "joeconsumer@gmail.com" } ], "creationType": "LocalAccount", // always set to 'LocalAccount' "displayName": "Joe Consumer", // a value that can be used for displaying to the end user "mailNickname": "joec", // an email alias for the user "passwordProfile": { "password": "P@ssword!", "forceChangePasswordNextLogin": false // always set to false }, "passwordPolicies": "DisablePasswordExpiration" }

  2. Update the Password Polices's property of affected users to be DisablePasswordExpiration with PATCH method via AAD Graph API, you can refer to this documentation to update your b2c users.

  3. Ask all affected B2C users to change their passwords.

For Social accounts:

The password expiration depends on the Identity provider's password policy. AAD can also be an identity provider in AAD B2C .

AAD Password Expiration policies that apply only to work or school accounts . The available password policy settings that can be applied to user accounts that are created and managed in Azure AD.

So, if you make the AAD as a social account for the AAD B2C, the Password Expiration policies will affect those social accounts.

Resolution for AAD social accounts:

If your account is a social account in Azure AD, connect to that Tenant using your company administrator credentials. Execute one of the following commands:

  1. To set the password of one user to never expire, run the following cmdlet by using the user principal name (UPN) or the user ID of the user: Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true

  2. To set the passwords of all the users in an organization to never expire, run the following cmdlet: Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true

You can see more details about Password Policy in Azure AD in this document .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD B2C password expiration notification Azure AD B2C is possible set password expiration period? Azure AD B2C Password Reset Azure AD B2C password settings Azure AD B2C App Service Auth password reset Change password using Graph API (Azure AD B2C) Azure AD B2C - Password change flow Password management in Azure AD B2C Free Tier Azure AD B2C Password Reset - Skip Email Verification Azure AD B2C Reset Password Email Link
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM