azure - Local account created in AzureAD B2C with "forceChangePasswordNextLogin" cannot login anymore after initial password change

Question

I have a WebAPI creating local account in an AzureAD B2C tenant through the AzureAD Graph API. When users are created, they receive an invitation email with a temporary password. User is created in the Graph API with a password profile to force them to change their temporary password on first login.

user.PasswordProfile = new PasswordProfile();
user.PasswordProfile.Password = GetTemporaryPassword();
user.PasswordProfile.ForceChangePasswordNextLogin = true;

When the user login for the first time (through a B2C SignIn policy), it is effectively prompted to change its password and everything is working fine up to that point.

Once the user is logged in, if he signs out then tries to sign in right after, authentification always fails with error message We don't recognize this user ID or password. Please try again. Forgot your password?.
If he uses its previous temporary password then it looks like authentication succeed, but he is asked to change its password again. In that view, Current password does not match the original temporary password but the latest password instead.

I confirmed from the Graph API than prior the first login, the PasswordProfile is still attached to the user.

{
    "odata.type": "Microsoft.DirectoryServices.User",
    "objectType": "User",
    "objectId": "00000000-0000-0000-0000-000000000000",
    ...
    "passwordProfile": {
        "password": null,
        "forceChangePasswordNextLogin": true,
        "enforceChangePasswordPolicy": false
    },
    ...
}

Then after the initial password change, the PasswordProfile to force password reset is no longer here.

{
    "odata.type": "Microsoft.DirectoryServices.User",
    "objectType": "User",
    "objectId": "00000000-0000-0000-0000-000000000000",
    ....
    "passwordPolicies": null,
    "passwordProfile": null,
    ....
}

At that point, the only solution for the user to be able to sign in is to wait for some time (5-10 minutes) prior to be able to login with its latest password.

Any idea about what can be the cause of this delay?
More importantly, How to avoid this delay and the poor user experience associated to it?

Answer 1

It is written in the docs and explicitly explained:

"passwordProfile": {
    "password": "P@ssword!",
    "forceChangePasswordNextLogin": false   // always set to false
},
"passwordPolicies": "DisablePasswordExpiration"

So, as described in the docs, always set the forceChangePasswordNextLogin to false! Also, when using B2C always set the passwordPolicies to DisablePasswordExpiration.

In your provided code sample you make 2 (two) wrong things:

1. You force password change the next login via

   user.PasswordProfile.ForceChangePasswordNextLogin = true;

2. You do not explicitly disable password expiration.

When using Azure AD B2C it is very important to read the docs first, before taking actions. It is different then a normal Azure AD. And everything is explained in the docs. If you see some missing or wrongful information, please use the feedback form at the bottom of each documentation page.

A feature request to enforce password reset/change upon next login is already logged here. You can give your vote to make it higher in priority list.

As last resort, if you really want to implement this, it might be possible using custom policies (REST API to implement logic to check if the user should change his password).