Local account created in AzureAD B2C with “forceChangePasswordNextLogin” cannot login anymore after initial password change

Question

I have a WebAPI creating local account in an AzureAD B2C tenant through the AzureAD Graph API. When users are created, they receive an invitation email with a temporary pass

Answer 1

It is written in the docs and explicitly explained:

"passwordProfile": {
    "password": "P@ssword!",
    "forceChangePasswordNextLogin": false   // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"

So, as described in the docs, always set the forceChangePasswordNextLogin to false! Also, when using B2C always set the passwordPolicies to DisablePasswordExpiration.

In your provided code sample you make 2 (two) wrong things:

1. You force password change the next login via

   user.PasswordProfile.ForceChangePasswordNextLogin = true;

2. You do not explicitly disable password expiration.

When using Azure AD B2C it is very important to read the docs first, before taking actions. It is different then a normal Azure AD. And everything is explained in the docs. If you see some missing or wrongful information, please use the feedback form at the bottom of each documentation page.

A feature request to enforce password reset/change upon next login is already logged here. You can give your vote to make it higher in priority list.

As last resort, if you really want to implement this, it might be possible using custom policies (REST API to implement logic to check if the user should change his password).