We have implemented an Azure AD B2C custom policy, and while all flows work fine in our test environment, the password expiry flow does not function correctly in production. Here are the details:
Problem Description:
Whenever a user logs in to the production environment, they immediately see the password expiry screen and are prompted to set a new password. This issue does not occur in our test environment, where the password expiry flow works as expected.
Environment Details:
-
Test Environment
- Test Azure AD B2C directory.
- Custom policies configured and working correctly, including password expiry.
-
Production Environment:
- Production Azure AD B2C directory.
- Same custom policies copied from the test environment with updated client IDs, secrets, etc.
- Password expiry flow is not working.
Configuration and Permissions:
- Both environments have the following permissions granted:Directory.ReadWrite.All, User.ReadWrite.All
- Both environments have the same configurations for IdentityExperienceFramework and ProxyIdentityExperienceFramework.
- We use a custom user attribute in Azure AD B2C named extension_passwordResetOn to set the password reset date when a user sets their password for the first time.
- The implementation was based on this documentation: Azure AD B2C User Flow Custom Attributes.
Observations:
- In the test environment, the B2C extensions app can set and get the custom attribute extension_passwordResetOn.
- In the production environment, the B2C extensions app is unable to set the extension_passwordResetOn attribute.
- Both environments have the same permissions, except for the deprecated Azure Active Directory Graph permissions, which we cannot add to production. We have instead added the new Microsoft Graph permissions as recommended by Microsoft.
Steps Taken:
- Verified that all configurations and policies in production match those in the test environment.
- Confirmed that all necessary permissions are granted in both environments.
- Attempted multiple troubleshooting steps, but the issue persists only in the production environment.
Request for Assistance:
We seek guidance on resolving this issue. Specifically, we need help understanding why the custom attribute extension_passwordResetOn can be set in the test environment but not in production, despite identical configurations and permissions.