none
In Sign-in/Sign-out profile Azure AD B2C "forget password" link leads to "You do not have permission to view this directory or page."

    Question

  • I am struggling with the forgot password link implementing Azure Mobile App authentication using Azure AD B2C. To replicate, create a new Azure AD B2C Sign-in/Sign-out policy (note that there is also a Password reset policy option).

    Add the email signup option for providers.

    Press OK and create the profile. Now go to the profile, and click Run Now.

    Choose an application, and press Run Now. Press the forgot link

    It will fail because the profile contains no details on the forgot password. "You do not have permission to view this directory or page." If a profile is created under Password Reset policies, Run Now will take you to the forget password form correctly. It turns out that you can download the profile. A Sign-in/Sign-out profile has:

      <UserJourneys>
        <UserJourney Id="B2CSignUpOrSignInWithPassword">
          <OrchestrationSteps>
            <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinandsignupwithpassword">
              <ClaimsProviderSelections>
                <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
              </ClaimsProviderSelections>
            </OrchestrationStep>
          </OrchestrationSteps>
        </UserJourney>
      </UserJourneys>
      <RelyingParty>
        <DefaultUserJourney ReferenceId="B2CSignUpOrSignInWithPassword" />
        <TechnicalProfile Id="PolicyProfile">
          <DisplayName>PolicyProfile</DisplayName>
          <Protocol Name="OpenIdConnect" />
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
            <OutputClaim ClaimTypeReferenceId="identityProvider" />
            <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
          </OutputClaims>
          <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
      </RelyingParty>

    and the password reset one has

      <UserJourneys>
        <UserJourney Id="B2CPasswordResetV1">
          <OrchestrationSteps>
            <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
              <ClaimsProviderSelections>
                <ClaimsProviderSelection TargetClaimsExchangeId="PasswordResetUsingEmailAddressExchange" />
              </ClaimsProviderSelections>
            </OrchestrationStep>
          </OrchestrationSteps>
        </UserJourney>
      </UserJourneys>
      <RelyingParty>
        <DefaultUserJourney ReferenceId="B2CPasswordResetV1" />
        <TechnicalProfile Id="PolicyProfile">
          <DisplayName>PolicyProfile</DisplayName>
          <Protocol Name="OpenIdConnect" />
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
            <OutputClaim ClaimTypeReferenceId="emails" />
            <OutputClaim ClaimTypeReferenceId="displayName" />
            <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
          </OutputClaims>
          <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
      </RelyingParty>
    I'm not sure how to do this so that the Sign-in/Sign-out profile can handle forgot password requests. Finally, I am using Azure Mobile Apps to do authentication, and there is only one place where I can put the login website, and I have put the Sign-in/Sign-up link there.



    http://stackoverflow.com/questions/42643203/when-using-azure-ad-b2c-with-azure-mobile-apps-how-is-the-password-policy-set

    Tuesday, March 07, 2017 10:23 PM

All replies