GraphServiceClient.Users.PostAsync Ignores B2C Password Complexity Configuration

[hercul1017]

Describe the bug

Issue:

When creating new users with GraphServiceClient.Users.PostAsync, the password complexity rules defined in Azure AD B2C configuration files (like B2C_1A_TRUSTFRAMEWORKEXTENSIONS.xml) are not enforced. This creates a discrepancy between user self-registration through the web flow (which respects the complexity rules) and programmatic user creation.

Desired Behavior:

Our new business requirement dictates initial passwords to be less complex, consisting only of digits and being 6 characters long (e.g., 123456). We followed the Microsoft documentation on configuring password complexity for Azure AD B2C (https://learn.microsoft.com/en-us/azure/active-directory-b2c/password-complexity?pivots=b2c-custom-policy). This configuration works as expected for user self-registration through the web flow.

However, GraphServiceClient.Users.PostAsync bypasses these settings when creating users programmatically. Instead, it enforces a default complexity rule (likely 8-64 characters with various character types). This is confirmed by the error message "The specified password does not comply with password complexity requirements. Please provide a different password."

Question:

Does GraphServiceClient not consider custom Azure AD B2C policy configurations?

Goal:

Is there a way to programmatically create users with GraphServiceClient while enforcing a simple, 6-digit password requirement (only digits)?

Thank you for any assistance!

Expected behavior

After configuring password complexity rules, GraphServiceClient to enforce new password complexity rules.

How to reproduce

Change ADB2C configuration and make password complexity rules 6 chars long and digit only by following https://learn.microsoft.com/en-us/azure/active-directory-b2c/password-complexity?pivots=b2c-custom-policy link. Then the new simple password complexity rules should allow you to register a new user with simple 6 digits only password.

Then try to create user programmatically by using code like below.

` var result1 = await graphClient.Users
.PostAsync(new User
{
GivenName = firstName,
Surname = lastName,
DisplayName = firstName + " " + lastName,
Identities = new List
{
new ObjectIdentity()
{
SignInType = "emailAddress",
Issuer = config.Tenant,
IssuerAssignedId = email
}
},
PasswordProfile = new PasswordProfile()
{
Password = password,
ForceChangePasswordNextSignIn = false
},
PasswordPolicies = "DisablePasswordExpiration"

                                                });`

SDK Version

5.62.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

```

</details>


### Configuration

Windows 11

### Other information

_No response_

[andrueastman]

Thanks for raising this @hercul1017

Any chance you can replicate this if you make the same request using the Graph Explorer? https://aka.ms/ge

[hercul1017]

Hi @andrueastman,

It cannot be replicated by using Graph Explorer, since it uses a tenant that is not configured to require only digits and 6 chars long password complexity.

You can test it by trying to create a user by using GraphServiceClient and providing 123456 as password with any tenant. This is what I am trying to achieve. It will probably complain about password complexity, then you will have to configure ADB2C or do some other things etc.

I am able to create a user by providing 8 chars long, complex password. That works fine. Changing password complexity requirements not working for GraphServiceClient at least in my case.

I have a very simple goal that is to create a user with only digit password by using GraphServiceClient, that is it. If you can do that, please let me know how to do it.

Thanks.

[MartinM85]

How do you authenticate when using the Graph SDK?
I'm not sure whether the custom policies are applied to all applications in B2C tenant. When registered the user through the web flow, do you use the same application as for Graph SDK?

[hercul1017]

Hi @MartinM85,

We have a working process for our web application. Either user use web flow to register or we create user by using GraphServiceClient. Your application's Tenant id, client id, client secret lets you create GraphServiceClient and it enables you to create user programmatically.

The problem started when we needed to change the password complexity requirements. The link above shows how to do that. We believe we applied it correctly and it worked for web flow. However ADB2C configuration change seems did not have any affect GraphServiceClient user creation process.

We need GraphServiceClient to work like web flow.

[hercul1017]

Dear @andrueastman,

Our application is designed for use in schools, and this feature is very important for the upcoming spring semester, especially given the success of our pilot program. As the spring semester is approaching quickly, we would greatly appreciate it if you could expedite the assessment process and provide us with a roadmap. This would allow us to effectively plan our development approach.

Thank you for your time and consideration.

[andrueastman]

@hercul1017 Can I suggest you post the same question at the link below? As this repo is mainly intended for sdk related issues, we may not be able to give feedback if this is an API side limitation at the moment.

https://aka.ms/askGraph

From taking a look at the sample snippet you shared, you may also want to update the value you are using in the PasswordPolicies property to show as below. as captured in the docs at https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0 under the property description.

PasswordPolicies = "DisablePasswordExpiration, DisableStrongPassword"

[hercul1017]

Hi @andrueastman,

Your suggestion fixed my issue by also adding disable strong password policy to password policies like below

PasswordPolicies = "DisablePasswordExpiration, DisableStrongPassword"

Thank you very much. As far as I am concern this issue can can be closed.