Search code examples
microsoft-graph-apiazure-ad-b2c

Azure AD B2C problem with Self-Service password reset

so I am having a problem with self-service password reset feature in the Azure AD B2C sign-in user flow.

When I create user via de sign-up userflows, with usernames, they can reset the passwords without problems. However, when I create the users using the Microsoft Graph API, and then try to reset the passwords, I get the following error "An account could not be found for the provided user ID."

I am creating the users like this

POST: https://graph.microsoft.com/v1.0/users

Body

{
  "accountEnabled": true,
  "displayName": "Some Name",
  "givenName": "Some",
  "surname": "Name",
  "identities": [
    {
      "issuerAssignedId": "LOGINNAME",
      "issuer": "myissuer.onmicrosoft.com",
      "signInType": "username"
    }
  ],
  "passwordProfile": {
    "forceChangePasswordNextSignIn": false,
    "password": "Yodo1234"
  },
  "extension_<app-extension-id>_role": "SOMEROLE",
  "extension_<app-extension-id>_bussinesId": "0000000"
}

The password reset won't work in the build-in sign-in reset, nor creating a separate flow only for the password. Note that I can login just fine with the users I create, I just can't reset the password

I've tried this

  1. Reseting password via sign-in flow.
  2. Reseting password via reset flow.
  3. Added another identity so the user would have username and email address, but still wouldn't work
  4. Changed the forceChangePasswordNextSignIn to 'true', and says the password expired, but still won't find the user when I try to reset it
  5. Tried stablishing a reset flow inside after the user has logged in. To asure it actually exists, but still won't find it
Solution

  • For built-in username flows, resetting passwords is done via an email in the Authentication Methods Email property. Therefore, once you create the user, use the object ID returned to add the email to the Authentication Methods.

    POST https://graph.microsoft.com/v1.0/users

    {
  "accountEnabled": true,
  "displayName": "Some Name",
  "givenName": "Some",
  "surname": "Name",
  "identities": [
    {
      "issuerAssignedId": "LOGINNAME",
      "issuer": "myissuer.onmicrosoft.com",
      "signInType": "username"
    }
  ],
  "passwordProfile": {
    "forceChangePasswordNextSignIn": false,
    "password": "Yodo1234"
  },
  "extension_<app-extension-id>_role": "SOMEROLE",
  "extension_<app-extension-id>_bussinesId": "0000000"
}

    In the 201 response, take the object ID then make the following request to add the authentication method:

    POST https://graph.microsoft.com/v1.0/users/{objectId}/authentication/emailMethods

    {
  "emailAddress": "bolt-io@contoso.com"
}

    This should then fix the password reset functionality.

    Prerequisite: the context making this request must have the following Microsoft Graph API permissions: UserAuthenticationMethod.ReadWrite.All