mnemitz
commented
1 year ago Just an update on this: It appears this error is coming from the TechnicalProfile AAD-UserReadUsingEmailAddress, which has the following OutputClaimsTransformation checking if accountEnabled is true:
In our B2C tenant, it appears that SSO users are being created with accountEnabled: false, while local accounts have accountEnabled: true. This is what causes the error message.
Currently investigating ways to improve the user journey based on this information. Our custom policies are based primarily on these samples, so if we come up with a fix, I will make a PR.
Our team is building custom policies based on the
SocialAndLocalAccountsstarter pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsCurrently with the
PasswordResetuser journey here, if a user signs up with social (i.e. Facebook), then later tries to reset their password using the email associated with that account, they will get an error saying "Your account has been locked".The preferable behaviour would be a more specific error message explaining that the email is associated with a social IDP as opposed to a local account. How can this best be achieved?