Set up a password reset flow in Azure Active Directory B2C

Before you begin, use the Choose a policy type selector at the top of this page to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method.

The password reset flow involves the following steps:

  1. On the sign-up and sign-in page, the user selects the Forgot your password? link. Azure AD B2C initiates the password reset flow.
  2. In the next dialog that appears, the user enters their email address, and then selects Send verification code. Azure AD B2C sends a verification code to the user's email account. The user copies the verification code from the email, enters the code in the Azure AD B2C password reset dialog, and then selects Verify code.
  3. The user can then enter a new password. (After the email is verified, the user can still select the Change e-mail button; see Hide the change email button if you wish to remove it.)

Diagram that shows three dialogs in the password reset flow.

The default name of the Change email button in selfAsserted.html is changeclaims. To find the button name, on the sign-up page, inspect the page source by using a browser tool such as Inspect.

Prerequisites

Password reset policy (legacy)

Note

Please note that self-service password reset isn't supported in Microsoft Azure operated by 21Vianet currently.

If the self-service password reset experience isn't enabled, selecting this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application must handle this error code by reinitializing the authentication library to authenticate an Azure AD B2C password reset user flow.

The following diagram depicts the process:

  1. In the application, the user selects Sign in. The app initiates an authorization request and redirects to Azure AD B2C so the user can finish signing in. The authorization request specifies a sign-up or sign-in policy name, such as B2C_1_signup_signin.
  2. The user selects the Forgot your password? link. Azure AD B2C returns the AADB2C90118 error code to the application.
  3. The application handles the error code and initiates a new authorization request. The authorization request specifies the password reset policy name, such as B2C_1_pwd_reset.

Diagram that shows the legacy password reset user flow with numbered steps.

You can see a basic demonstration of how user flows link in our ASP.NET sample.

Create a password reset user flow

To let your application users reset their passwords, create a password reset user flow:

  1. In the Azure portal, go to the Azure AD B2C tenant overview.
  2. In the left menu under Policies, select User flows, and then select New user flow.
  3. In Create a user flow, select the Password reset user flow.
  4. Under Select a version, select Recommended, and then select Create.
  5. For Name, enter a name for the user flow. For example, passwordreset1.
  6. For Identity providers, enable Reset password using username or Reset password using email address.
  7. Under Multifactor authentication, if you want to require users to verify their identities by using a second authentication method, select the method type and when to enforce multifactor authentication. Learn more.
  8. Under Conditional access, if you've configured conditional access policies for your Azure AD B2C tenant and you want to use them in this user flow, select the Enforce conditional access policies checkbox. You don't need to specify a policy name.
  9. Under Application claims, select Show more. Choose the claims you want returned in the authorization tokens that are sent back to your application. For example, select User's Object ID.
  10. Select OK.
  11. Select Create to add the user flow. A prefix of B2C_1 is automatically added to the name.

Test the user flow

To test the user flow:

  1. Select the user flow you created. On the user flow overview page, select Run user flow.
  2. For Application, select the web application you wish to test, such as the one named webapp1 if you registered that earlier. The Reply URL should be https://jwt.ms.
  3. Select Run user flow, verify the email address of the account that you want to reset the password for, and then select Continue.
  4. Change the password, and then select Continue. The token is returned to https://jwt.ms and the browser displays it.

Create a password reset policy

Custom policies are a set of XML files that you upload to your Azure AD B2C tenant to define user journeys. We provide starter packs that have several pre-built policies, including sign up and sign in, password reset, and profile editing policies. For more information, see Get started with custom policies in Azure AD B2C.

Troubleshoot Azure AD B2C user flows and custom policies

Your application needs to handle certain errors coming from Azure B2C service. Learn how to troubleshoot Azure AD B2C's user flows and custom policies.

Next steps

Sign-up and Sign-in with embedded password reset.