I am trying to understand how Azure AD B2C password reset is meant to be used.
It appears there are a number of ways password reset can be handled. What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C? Why does method 3 below not appear to work?
Via an Azure B2C user flows (policies).
Via Azure Active Directory Self Service Password Reset. Which is accessible via https://passwordreset.microsoftonline.com. This allows the user to reset their password via any email address stored on their profile.
Reset password button on user profile. This provides a temporary password, however the temporary password does not seem to work.
#AAD B2C ≠ AAD ===> AAD B2C users ≠ AAD users
Currently, we only support two ways to reset Azure AD B2C users' password in general scenario:
Self-service reset password(SSPR) with Azure AD B2C Password reset policy/user flow.
Admins help users to reset password with Azure AD Graph API: https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--
Answers to your questions:
What is the difference between these? Is there is a price difference between these? Are some of these features of Azure AD, whilst some are features of Azure AD B2C?
Password reset policy/user flow is for AAD B2C users. You can use it directly. AAD B2C users can use this to reset their password by themselves. It's also a kind of SSPR.
Azure Active Directory Self Service Password Reset. Generally, it's for enterprise users. As this feature is just for V1 Sign in user flow only, I don't recommend you use this way.
Reset password button on user profile. It's for AAD (organization/enterprise) users only. Don't use this button for AAD B2C users.
Why does method 3 below not appear to work?
As I mentioned in the above, this feature is just for Azure AD users. NOT AAD B2C users. Therefore, you cannot reset B2C users' password here.
As Alex said, AAD B2C user is not Azure AD user. B2C users is for 2c senario. Normal Azure AD user is for organization/enterprise scenario.
You can also refer to my answers for What's the difference between Azure AD B2C tenant and normal Azure AD tenant?
More about how B2C password reset policy works:
After clicked "forget your password" button in Signup/in policy, AAD B2C will send a message with "AADB2C90118" back to Application.
For example, in a ASP.NET MVC Web App, then it should challenge
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
notification.HandleResponse();
// Handle the error code that Azure AD B2C throws when trying to reset a password from the login page
// because password reset is not supported by a "sign-up or sign-in policy"
if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
{
// If the user clicked the reset password link, redirect to the reset password route
notification.Response.Redirect("/Account/ResetPassword");
}
}
It means that Application will redirect it /Account/ResetPassword to the after received this message.
/Account/ResetPassword is defined here from Account Controller. It should be determined by the password reset policy name which defined by you.
public void ResetPassword()
{
// Let the middleware know you are trying to use the reset password policy (see OnRedirectToIdentityProvider in Startup.Auth.cs)
HttpContext.GetOwinContext().Set("Policy", Startup.ResetPasswordPolicyId);
// Set the page to redirect to after changing passwords
var authenticationProperties = new AuthenticationProperties { RedirectUri = "/" };
HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);
return;
}
Then the user will be redirected to B2C password reset policy to change his password.