Share via

How to remove the "hint" query parameter during AAD B2C password reset flow?

Batman 0 Reputation points
2024-09-24T17:10:43.5333333+00:00

We have set up the password reset exchange as instructed in the docs and are trying to remove the hint query parameter that gets added to the URL when clicking the forgot password link. We do not want it as it is an info leak. Someone else asked a similar question, but they wanted the opposite of what we want and discovered the query param already exists. How do we remove it?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,515 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,649 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neuvi Jiang 1,300 Reputation points Microsoft Vendor
    2024-09-25T08:00:03.6566667+00:00

    Hi Batman,

    Thank you for posting in the Q&A Forums.

    1. Understanding the role of the hint parameter

    The hint parameter is designed by Azure AD B2C for user experience purposes and allows the user's identifier (e.g., username or email) to be pre-populated via a URL before the user begins the password reset process. However, this can also pose a security risk as it may reveal the user's personal information.

    1. Customizing the password reset policy

    To remove the hint parameter, you need to customize the password reset policy for Azure AD B2C. This usually involves modifying or creating custom User Journeys and Technical Profiles. However, removing the hint parameter from the URL directly through the Azure AD B2C configuration interface or policy file may not be directly supported.

    1. Modifying the password reset link

    A more practical approach is to control the process of generating password reset links. Make sure that you do not include the hint parameter when generating these links. This is usually done on the back end of your application or web service, where you can adjust the logic to exclude this parameter.

    1. Use security best practices

    Minimize information leakage: Ensure that the principle of least privilege is followed in any part of your application and that only necessary user information is requested and transmitted.

    Use HTTPS: Ensure that all communication with Azure AD B2C is done over HTTPS to protect the confidentiality and integrity of data.

    User education: Educate users not to share password reset links or any URLs containing personal information with untrusted third parties.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.