问题
I am using Graph API to create user and this is how i am creating a user
let payload = {
"displayName": value.data.displayName,
"identities": [
{
"signInType": "userName",
"issuer": "{tenantName}.onmicrosoft.com",
"issuerAssignedId": value.data.memberNumber
},
{
"signInType": "emailAddress",
"issuer": "{tenantName}.onmicrosoft.com",
"issuerAssignedId": value.data.email
}
],
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": value.password
},
"passwordPolicies": "DisableStrongPassword"
}
When i create user using "forceChangePasswordNextSignIn": true in passwordProfile, i always get an error shown in image below i.e. password has expired even on first login.
回答1:
It should be a limitation currently.
You can refer to a previous similar post to learn about the sign-in policy. The sign-in policy validates a user credential by sending a grant_type=password request to the Azure AD B2C directory. If the forceChangePasswordNextLogin property is set to true, this request returns an "user_password_expired" error. The sign-in policy handles this error by displaying the "Invalid email address/user or password" error.
So as Chris Padgett suggested, you can create a custom attribute (e.g. ForceResetPasswordNextLogin), set this to true when you create the local account, and then issue this as an application claim from the sign-in policy to your B2C application.
After sign-in, if it is set to true, then your B2C application can initiate the password reset policy. After password reset, then your B2C application can set it to false.
Custom policy is also a choice.
来源:https://stackoverflow.com/questions/61234596/not-prompting-change-password-on-first-signin