AADB2C Password history policy
Allow us to set passwords must not be the same as the previous passwords used by a user. The number should be configurable, so not the same as the last 10 passwords used by the individual for example.
Gaute Stakston commented
Definitely a security vulnerability that should have been prioritized. Since we are in the hands of Microsoft to fix this is really not good.
Adhiraj Bose commented
We also have a similar requirement for our client.
The current feature available bans the use of most common strings and not the previous "n" number of passwords
Douglas Woods commented
It would also be useful to be able to prevent reuse of sequential passwords ie foo1, foo2, foo3 etc
This is a must feature indeed. Mostly the organizations have this as one of the password policy rule they need to be compliant with.
Oscar Sadder commented
not having this makes it tough to pass security and pen tests. Please add as our clients are doubting the use of B2C because it does not comply with good password policies.
Alex Fagundes commented
Please consider adding this feature. We have a couple customers kicking and streaming this is not doable........
Sameer Salunke commented
We have also similar requirement. User should not reset password to its old 12 passwords. Currently this feature is not supported in Azure B2C AD. But this is the security requirement from customer, do you have any roadmap for this password history feature in Azure B2C AD.
A user should not be allowed to use any of their previous 4 passwords.
Is it possible in Azure B2C. If 'Yes'. How?
Greenstreet, John commented
One of our clients demands that passwords be changed monthly and the new password be different than the last 15 passwords. Right now this is a deal-breaker in us going with Azure B2C!
This is one of the mandatory requirements for many Australian governmental services.
I second this. There are enterprise restrictions which mandates this feature.
Donnie Byrd commented
I second this. We are struggling with implementing the PCI DSS requirements specifically requirement 8.2.5 that requires users not to be able to use one of the last four passwords.