Remove Email Verification Step in Password Reset Policy in Azure AD B2C

Question

I am not able to remove the email verification step in password reset. I tried adding the orchestration step to trustframeworkextensions.xml. I keep getting an error message when I upload the policy. The error is: "Error: User journey must be preceded by a claims provider selection".

I looked at similar post at Azure AD B2C Password Reset policy without email verification step. I tried the solution mentioned in Remove Verification, but still I am getting same error. Any help?

Here is the UserJourney that moved from TrustFrameworkExtensions.xml to TrustFrameworkBase.xml

<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

score 0 · Answer 1 · answered Aug 23 '18 at 08:38

0

For the email verification in the password reset policy, you could check in the Azure portal and then try to edit this policy in the portal. For the details, you can read build-in policies.

answered Aug 23 '18 at 08:38

SunnySun

1,900
1
6
8

1

In the Reset Password policy you shown above, there is no way to select Email Address and go to 'page customization Ui' and remove verification. This option is available for sign-up policy, but not for PassowordReset policy. So, this will not solve the issue. – Kris Aug 23 '18 at 17:26

score 0 · Answer 2 · answered Aug 23 '18 at 15:26

Moving the userjourney from trustframeworkextensions.xml to TrustFrameworkBase.xml will fix this.

If that does not work. You try the below steps, below changes will ask for the UserName and the email from user and will be verified against the against AD.

Add the below claims

<ClaimType Id="EmailPlaceHolder"> <DisplayName>Enter your Email</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Email</UserHelpText> <UserInputType>TextBox</UserInputType> <Restriction> <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." /> </Restriction> </ClaimType>

<ClaimType Id="UserNamePlaceHolder"> <DisplayName>Enter your Username</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Username</UserHelpText> <UserInputType>TextBox</UserInputType> </ClaimType>

2.Add the below user journey

`<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>`

3.Make changes to LocalAccountDiscoveryUsingLogonName technical profile

`<TechnicalProfile Id="LocalAccountDiscoveryUsingLogonName">
  <DisplayName>Reset password using logon name</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="UserNamePlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="EmailPlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>`

4.Add/Modify the AAD-UserReadUsingLogonName technicalprofile

`<TechnicalProfile Id="AAD-UserReadUsingLogonName">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="UserNamePlaceHolder" PartnerClaimType="signInNames.userName" Required="true" />
    <InputClaim ClaimTypeReferenceId="EmailPlaceHolder" PartnerClaimType="email" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>`

If you want to add other attributes to be verified then add them to LocalAccountDiscoveryUsingLogonName and use them for validation in AAD-UserReadUsingLogonName.

PartnerClaimType="Verified.Email" is the one which will ask the user to verify the email by sending the verification code.

Moving the userjourney from trustframeworkextensions.xml to TrustFrameworkBase.xml did not fix it. Just update for you. — Kris, Aug 23 '18 at 18:55
I posted the updated userjourney in my original question since it can't be added to comments. — Kris, Aug 23 '18 at 21:06
@ADB2C community & product PMs - Can anyone share a working example? — Kris, Aug 31 '18 at 01:02
@Kris Can you look at [this](https://stackoverflow.com/questions/52048627/add-restrictions-to-custom-policy-and-make-claim-optional-azure-b2c?noredirect=1#comment91151035_52048627) , might help you. — Jagadish KM, Sep 01 '18 at 02:34
@Jagdish - the pattern will not stop verification process. I want to eliminate the entire verification process on Password Reset policy. — Kris, Sep 01 '18 at 20:48
In the LocalAccountDiscoveryUsingLogonName technical profile remove email from the output claim and add the any other filed which you want to verify against the user attribute. After which, you should make changes to AAD-UserReadUsingLogonName profile. — Jagadish KM, Sep 04 '18 at 13:13
Are you still getting the same error "Error: User journey must be preceded by a claims provider selection"? — Jagadish KM, Sep 06 '18 at 13:57
No. I added all the 4 steps mentioned above to Trustframeworkbase.xml and removed PartnerClaimType="Verified.Email" and uploaded the policy. But it still asks for verification process. — Kris, Sep 06 '18 at 21:27
Check out [this](https://stackoverflow.com/questions/49923615/azure-ad-b2c-password-reset-policy-without-email-verification-step) — Jagadish KM, Sep 12 '18 at 20:30
I did the same. That is what mentioned in my previous comment that I added all 4 steps. It did not work. — Kris, Sep 13 '18 at 01:06

Remove Email Verification Step in Password Reset Policy in Azure AD B2C

2 Answers2