-1

I was using Azure AD B2C MSAL integration in android. I have created the UserFlow for ForgotPassword which is working as expected. When I tried to change the Password, they will ask for the registered emailAddress where they will send the verification code to change the Password. But when I tried to give any emailAddress during forgot password it will be sending the verification code to any email which I provided . How can I handle sending verification code to any emailAddress unless that emailAddress is signedup in azure

sooraj
  • 41
  • 2
  • 8
  • I think that's a usual work flow, if you wanna change password and you need to get verification code first, you need to provide an email address which you could used to receive the code, it shouldn't be restricted to some specific accounts, because nobody could make sure that they can access those accounts at that time. By the way, if you enter a wrong email address, you can't get code to pass the validation, and those who received the code also have no place to use the code. – Tiny Wang Feb 02 '21 at 13:00
  • @Tiny-wa - yeah ,I got your point. But what if we send the verification code to some random mail which is in the name of some famous person and they will get the verification code even though they are not registered with the azure ad b2c. so do we need to restrict that? – sooraj Feb 03 '21 at 04:08
  • I think it's all up to you. You could validate the mail account if it's illegal, for example xx@1.com, it seems a wrong address right? By the way, for myself, the validation mail contains code I've received usually in a format like '[company A], the code is 123456, please never share it to others, pls contact 123456 when you have questions'. If I haven't done those operations, I would feel being disturbed at most. – Tiny Wang Feb 03 '21 at 06:04
  • I think what you should do is like [this](https://stackoverflow.com/questions/46155/how-to-validate-an-email-address-in-javascript) which is used to validate address. – Tiny Wang Feb 03 '21 at 06:07
  • @Tiny-wa - Actually I think, you haven't got my point. I will explain in Detail. Suppose I have my Android App registered With `Azure AD B2C` with an email `abc@gmail.com`. When I tried to change the Password using `forgot password`.It asks for the email to send the verification code. But when I tried using an email ' cde@gmail.com` to change the password of `abc@gmail.com`. Still verification is received on ' cde@gmail.com` even though `cde@gmail.com` is not registered with my App using `AD B2C`. so i have to prevent sending verification code to email address which is still not registered – sooraj Feb 03 '21 at 08:13
  • Yes, thanks. So, regardless of the feature you wanted could be achieved, from my point of view, the reset password flow should like this: 'is xx@xx.com still in use? we'll send code to it', and provide a choice to change the mail address to avoid the situation that user can't use the email that used to register in your app to receive validation code. And along with your idea, I haven't found a solution to achieve the feature to restrict entering the mail address that used to register the app. – Tiny Wang Feb 03 '21 at 08:55
  • I watched this [document](https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy) and I found a related [answer](https://stackoverflow.com/questions/62703642/prevent-email-change-in-azure-b2c-custom-policy). – Tiny Wang Feb 03 '21 at 08:56

1 Answers1

0

Solution is in this sample

Demonstrate how to use a displayControl to send One-Time-Passcodes to users only if the email is registered against a user in the directory.

https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-email-exists

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20