I am using a Web Application with Azure AAD B2C configuration for authentication hosted in IIS.
I have created signup policy, sign in policy and password reset policy. I have configured Forget Password settings in Azure Active Directory too.
In the signin page, clicking the "Forget Password" link does not redirect to the password reset policy.
Instead, it returns an "access denied" error to the application. Do I need to do any explicit coding to redirect to password reset policy or am I missing any configuration in my settings?
The error returned is by design to allow the application to redirect to an appropriate password reset policy. This is important because a tenant can have multiple password reset policies for various scenarios. So for example, if the user was trying to sign-in with MFA, the appropriate password reset policy would be the one that also requires MFA.
The client needs to handle the error code AADB2C90118 if an error is returned, and based on that error code, it would redirect to the appropriate password reset policy.
The pattern to handle this error and redirect to a password reset policy is demonstrated in the OpenID Connect .NET Sample with a sign-up or sign-in policy.