AADB2C: Password Expiration
Unlike Azure AD, B2C does not allow you to set a password expiration policy. Please allow similar capability in B2C to set both a password expiry as well as the length prior to a notice being sent to the user before their password expires.
Per NIST requirements, this is not something that actually helps in improving security. We will instead invest in features such as banning common passwords and setting custom password complexities.
However, if this is core to your success, we have a sample of how to accomplish this here: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-after-90-days
Richard Beesley commented
Any update on this? Whilst I agree with @Bill regarding password expiry can cause weak passwords, there isn't enough in B2C to force stronger passwords at the moment.
If there were AAD features such as the globally banned list (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad) then it would be more acceptable but at the moment I can still choose "P@ssw0rd" and pass the complexity rules.
has this feature been released ? is tehre a way to use MSOLservice to command B2C tenant local users ?
@Dennis: NIST no longer recommends a password expiry since it often results in worse passwords:
[Deleted User] commented
Can we get an update? Can this be done already in Azure AAD B2C ? I did a quick search an cannot find any documentation for this.