When using Azure Active Directory B2C you can control how your users access, register and manage their accounts for your applications. While configuring Azure AD B2C you have the option to use User Flows or Custom Policies to handle these processes. User Flows make use of the Azure Portal Interface, while Custom Policies allow you to change the backend XML. One of the capabilities available with both methods is the configuration of complexity around accepted passwords. This blog will quickly run through the different options.
The screenshot above shows the options you can select from a User Flow. The first option is ‘Simple’ which limits the password length to be between 8 characters and 64 characters. The second option is ‘Strong’ and has the same length restraint, but also needs three out of a lowercase character, uppercase character, a number or a symbol. The third is ‘Custom’ which gives you a little more room around password limitations which you can see in the screenshot below. The fourth is ‘Legacy’ which is similar to Strong but with a max limitation of 16 characters and a static error message. It is recommended to not use ‘Legacy’.
With Custom Policies the same options are available, but you have a lot more freedom in how you configure them. The screenshot below shows the TrustFrameworkBase.xml file where the Predicates are found. As you can see, unlike the User Flows, you can add custom predicates to define what needs to be included in the password. For example, the screenshot below shows that the password needs to at least have the ‘@’ symbol in it.
If you’d like even more freedom than this, you also can completely scrap B2C’s configurable passwords and replace it with regex. The first step of this would be disabling B2C’s password restrictions by adding ‘DisableStrongPassword’ to the password policy claim. An example of this is in the screenshot below.
The second part of this would be attaching the regex to the password field. You can see a quick example of this in the screenshot below where the password is being limited to a max of 256 characters. With this you’ll be able to configure your password complexity to whatever you choose.