Can't reset B2C account password create via the Graph API

Question

Hoping someone can shed some light on the following matter;

I got an Angular & .Net core Web API application that uses Azure B2C to authenticate users. User accounts are created by the users themselves via the signin/signup custom policy or administrator can create accounts via the app using the Graph API.

Due to the requirements, the app uses usernames (as opposed to email addresses) to log into the application. So far I've managed to get everything working except for the following scenario:

When an account is created via the Graph API, the owner of that account cannot reset the account's password. The error is "An account could not be found for the provided user ID".

This isn't the case for accounts that get created via the custom signup policy so I did some comparison and found that for those account that get created via the Graph API, the Email is missing (which can be found under User -> Authentication Methods). I looked at populating that field, but it appears the "Mail" attribute is 'read only' (not sure if that's the right attribute anyway).

At the moment I'm having to manually set the email via Azure so those account's passwords can be reset by their owner if necessary. This is obviously not ideal and wanted to see if there is anyone that might have gotten around this issue, or a least get confirmation that this is indeed a limitation of the Graph API.

Thanks in advance for your help

Answer 1

So I managed to get this working using the approach outlined by Jas Suri. These are the steps that I went through

1. Created a custom attribute in my B2C tenant to hold the account email address
2. Included the custom attribute claim type (extension_emailAddress) as well as the strongAuthenticationEmailAddress in the TrustFrameworkBase.xml
3. Updated my apps's custom policies to include the technical profile for local account discovery. I basically just copied the necessary bits and pieces from here
4. Updated the local account discovery to perform the comparison against the extenstion_emailAddres instead of strongAuthenticationEmailAddress.
5. Added an extra step to the Sign up user journey so that the value in strongAuthenticationEmailAddress is copied to extension_emailAddress
6. Updated my Web API / Graph API "create user" function so that it sets the extension_appidguid_emailAddress

That's it. Now it doesn't matter how the account gets created, the email address will be stored in the extension attribute and the password reset will be able to find the account using that attribute.

happy to provide more details if anyone comes across this.

Answer 2

The problem is as you’ve identified, the Sign Up policy uses the strongAuthEmail attribute to store the verified email for a username based account. The Password reset policy will use this to verify the user owns the username. When creating the user with graph api, you can’t populate this field, it’s not exposed. The only option is to use a custom policy which stores this secure email in an extension attribute, and your graph api created users can then also target the same attribute to allow the stars to align.

Answer 3

Mail attribute is not the same as the Email under Authentication Methods, and currently there is no such graph api to set the Email value under Authentication Methods.

By the way, there is no need to create Azure AD B2C user for a user as users can sign up themselves.