I have a WebAPI creating local account in an AzureAD B2C tenant through the AzureAD Graph API. When users are created, they receive an invitation email with a temporary password. User is created in the Graph API with a password profile to force them to change their temporary password on first login.
user.PasswordProfile = new PasswordProfile();
user.PasswordProfile.Password = GetTemporaryPassword();
user.PasswordProfile.ForceChangePasswordNextLogin = true;
When the user login for the first time (through a B2C SignIn policy), it is effectively prompted to change its password and everything is working fine up to that point.
Once the user is logged in, if he signs out then tries to sign in right after, authentification always fails with error message We don't recognize this user ID or password. Please try again. Forgot your password?
.
If he uses its previous temporary password then it looks like authentication succeed, but he is asked to change its password again. In that view, Current password
does not match the original temporary password but the latest password instead.
I confirmed from the Graph API than prior the first login, the PasswordProfile
is still attached to the user.
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "00000000-0000-0000-0000-000000000000",
...
"passwordProfile": {
"password": null,
"forceChangePasswordNextLogin": true,
"enforceChangePasswordPolicy": false
},
...
}
Then after the initial password change, the PasswordProfile
to force password reset is no longer here.
{
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "00000000-0000-0000-0000-000000000000",
....
"passwordPolicies": null,
"passwordProfile": null,
....
}
At that point, the only solution for the user to be able to sign in is to wait for some time (5-10 minutes) prior to be able to login with its latest password.
Any idea about what can be the cause of this delay?
More importantly, How to avoid this delay and the poor user experience associated to it?