AD B2C forceChangePasswordNextLogin for user flow “Sign in v2” doesn't initiate a password reset and prevents a successful login

Question

I am creating new users in Azure AD B2C using the graph client api. The json i send to the api looks like the following:

{
    "creationType": "LocalAccount",
    "passwordProfile": {
        "password": "a:898;keJPpN/69X",
        "forceChangePasswordNextLogin": true
    },
    "passwordPolicies": "DisablePasswordExpiration",
    "objectId": null,
    "accountEnabled": true,
    "displayName": "John Doe",
    "mailNickname": "john.doe",
    "signInNames": [
        {
            "type": "emailAddress",
            "value": "john.doe@provider.com"
        }
    ]
}

The user is then created correctly. However, once I try to login with the newly created user using the flow "Sign in v2", I get the following error message: Invalid username or password. Looking at the sign-in attempts, the failed attempt all failed with

Status: Interrupted
Sign-in error code: 50055
Failure reason: Invalid password, entered expired password.

Starting a "Password reset v2"-flow by clicking "Forgot your password?" does correctly trigger a password reset flow with email confirmation. After entering the sent confirmation code and setting a new password, the login works as expected.

If I set the "forceChangePasswordNextLogin" : false, the first login works as expected. However, in this case the user is not forced to change his one-time-password. So this is not really an option. Also interesting: When using the flow "Sign in" (without v2), everything works as expected and the user is forced to change the password on the first login. However, as this flow does not support custom styling, this is also not an option.

What do I have to do to get the "Sign in v2" flow to correctly trigger a password change on the first login of a user?

Answer 1

Rather than setting passwordProfile.forceChangePasswordNextLogin to true, you can create a custom attribute (e.g. ForceResetPasswordNextLogin), set this to true when you create the local account, and then issue this as an application claim from the sign-in policy to your B2C application. After sign-in, if it is set to true, then your B2C application can initiate the password reset policy. After password reset, then your B2C application can set it to false.

You can otherwise consider a custom policy from the starter pack that includes a password change step.