samples icon indicating copy to clipboard operation
samples copied to clipboard
verified publisher icon azure-ad-b2c

Set "Password Reset verification code only sent if email is registered" as Default

Open Phenek opened this issue 2 years ago • 0 comments

Set "Password Reset verification code only sent if email is registered" as Default

Description

I propose setting the "Password Reset verification code only sent if email is registered" custom policy as Azure B2C's default.

This policy will not send a reset code to an unregistered email, improving user experience.

Why is this an important issue?

Sending a password reset to an unregistered email creates confusion. It's counterproductive and could worsen the user experience. They will believe they have an account when they actually don't...

Custom Policy Details

This policy works by:

  1. Taking the user's email and looking for a user in the directory.
  2. If a user is found, we have the objectId claim in the claims bag.
  3. Based on the existence of objectId in the claims bag, we send out the verification code.
<Action Id="SendCode">
<ValidationClaimsExchange>
    <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-emailAddress" />
    <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AadSspr-SendCode">
    <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>objectId</Value>
        <Action>SkipThisValidationTechnicalProfile</Action>
        </Precondition>
    </Preconditions>
    </ValidationClaimsExchangeTechnicalProfile>
</ValidationClaimsExchange>
</Action>

Phenek avatar Jul 13 '23 09:07 Phenek