How can we improve Azure Active Directory?

"Change password" policy

Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.

110 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

AdminAzure AD Team (Software Engineer, Microsoft Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

We are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:

- If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
- Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
- Would you want an email to get sent out to the user whenever the password is changed?

13 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Shaik Abdul Khader Basha commented  ·   ·  Flag as inappropriate

    1) "/" would be the better option also output claims whatever user expect.

    2) It would be better to change password without login if the user was already logged in. Keep Old password, New password and Confirm new password fields. Verify the old password and change the new password.

    3) This can keep like Boolean option like if the user select true then the email will send to the user's inbox and if false email will not send.

  • Ronald Verhaegen commented  ·   ·  Flag as inappropriate

    Q: If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
    A: /

    Q: Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
    A: It would be better that the user doesn't need to sign in on this page (because the user is already signed in) but just change the password based on: Old password, New password, Confirm new password.

    Q: Would you want an email to get sent out to the user whenever the password is changed?
    A: Depends. It would be best if this is a setting.

  • Shwetank commented  ·   ·  Flag as inappropriate

    When you are planning to add old password verification as part of change password?

  • Graham Freckleton commented  ·   ·  Flag as inappropriate

    Password change implies that the user has already successfully logged in and is using the application. Our current (database-based) password change (vs. password reset) process prompts for the old password (in addition to the new password) and verifies it before making the password change.

    OWASP recommends that the user can change their password using this approach. Supplying the old password prevents a drive-by password change on a (temporarily) absent user's computer, or a loss of control of the token/session.

    Note that OWASP recommends this approach - see the "Test Password Change" section at the bottom of this page:

    https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)

    and Step 6) here (ignoring security questions response):

    https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet

    Given that password changes can be made via the Graph API, being able to supply the old password for verification would fit the bill.

    Finally, we don't use B2C Edit Profile since our applications manage this.

  • Christian Morante commented  ·   ·  Flag as inappropriate

    Indeed the experience to which the user is accustomed is to enter his previous password and then enter a new one, then he should take it out of the authenticated session to ask the user to be authenticated again, if this process, according to his criteria is already outdated or Old fashioned, please feel free to suggest us the best alternative to offer a good experience to the consumer user in this area

  • AdminAzure AD Team (Software Engineer, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Thank you for the feedback guys, keep it coming.
    We've got enough information to get a better sense on the ask. This will remain unplanned at least for this half of the year. We'll provide an update as we come out of our next planning cycle in the middle of this year.

    /Saca

  • Dave Kessler commented  ·   ·  Flag as inappropriate

    The driver is to indeed offer a simple experience for someone that currently knows their password but wants to change it for security purposes. Many systems offer this as part of the "Edit/Maintain Profile" once a user is logged in. In the Fin Services space, we have customers who can get concerned that someone else in their family has figured out their password, so they want to forcibly choose a new one. It is not intuitive for them to follow a "Forgot Password" journey because to them they didn't forget their password ... they just want to change it. I concur with Chris' thoughts on navigating to a page served by B2C that would then re-direct back upon change completion. However, if we could also handle via a call to the GraphAPI, we could certainly handle the collection of the new password within our own UI -- as we really wouldn't need to confirm the current password since they are already authenticated and logged in.

  • Tino Schnerwitzki commented  ·   ·  Flag as inappropriate

    I agree with Chris. There should be an additional policy for changing your password, without requiring the user to "forget" their password. They authenticated themselfs successfully. Therefore they're identified. If we do not activate two factor authentication for logging in, it shouldn't be enforced for changing your password. Howether a notification that "someone" changed your password, could be useful.

    This function is actually already present. We create users by using graph api with an initial password. When the user tries to login for the first time, he is forced to enter the "old" and the "new" password. That is essentially the form we are looking for to show on demand. There is only one difference. If the user cancels the "change password" policy, his old password should stay intact an he is still logged in.

  • Justin Blau commented  ·   ·  Flag as inappropriate

    For me, this ask is for an already authenticated and signed in user to change their password without having to prove their authenticity a second time through email. It assumes that the user can keep their accounts secure on their own.

  • Chris Anderson commented  ·   ·  Flag as inappropriate

    For us, the primary driver is user experience. As it is right now, using the "Forgot Your Password?" link on the login screen isn't intuitive for users who just want to change their password after logging in. It isn't clear to a user that in order to change their password they need to log out of the system, click "Forgot Your Password?".

    What I would like to see is something similar to how the current login page works:

    For logging in, Microsoft serves up the login page a URL similar to "https://login.microsoftonline.com/TENNANT_NAME/POLICY_NAME/oauth2/" and we are able to supply, via a policy, the location of an HTML template that wraps login form so the page has our branding.

    I would like to see something similar for the Change Password page. We would supply a link on the user's profile page that says "Change Password". That link would direct them to a page, served by Microsoft, that has fields for "Current Password", "New Password" and "Confirm New Password". We would also be able to give a location of an HTML file so we have our branding on that page, just like the login page. We would also need to be able to give a URL to redirect to after the password is changed, unless re-logging in would need to be required.

    In a perfect world, we would be able to actually integrate/embed the form onto our "My Profile" page so the user experience is even more seamless, but redirecting to a Microsoft hosted page would be acceptable, as well.

  • Chris Anderson commented  ·   ·  Flag as inappropriate

    Unfortunately, the link John Barrins posted is related to resetting a password, not changing a password. We need a way for a user to change their password after they've already logged in. A link that we could put into a user's My Profile page that we could put our branding onto (just like on the sign-in pages).

Feedback and Knowledge Base