Share via

Entra External ID: Password reset form accepts mismatched passwords when new password field is modified after confirm field

Longlands, Dylan 0 Reputation points
2026-04-08T11:54:19.07+00:00

Steps to reproduce:

  1. Navigate to the password reset page
  2. Fill in the "new password" field
  3. Fill in the "confirm password" field with a matching value
  4. Go back and modify the "new password" field so the values no longer match (or simulate autofill overwriting it)
  5. Submit Screenshot 2026-04-08 at 12.49.13

Screenshot 2026-04-08 at 12.49.22

Expected: Validation error shown, form submission blocked

Actual: Form submits successfully with mismatched passwords

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 160K Reputation points MVP Volunteer Moderator
    2026-04-08T16:26:55.1933333+00:00

    Haha, AI saying this is ok almost.

    I think thats a terrible end user experience and should be fixed.

    0 comments
  2. Q&A Assist
    2026-04-08T11:54:46.64+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    This behavior is a client-side validation bug in the password reset UX, not the server-side password policy.

    From the documented flow, password reset is ultimately validated only when the new password is submitted to Microsoft Entra ID. At that point, the service evaluates the password against:

    • Banned password checks and fuzzy matching
    • On-premises password policies (for writeback scenarios)

    If the submitted password is invalid according to these rules, the reset fails and an error such as “Password doesn't comply with fuzzy policy” or “On-premises policy violation” is returned. However, the documentation does not define or guarantee any specific client-side behavior for comparing the “new password” and “confirm password” fields; that logic is implemented in the UI layer.

    Because the server accepts a single password value, the mismatch between the two fields in the browser does not affect the backend validation. The form should block submission when the fields differ, but if it does not, the backend will still only store the value actually sent as the new password and then apply its normal strength/banned-password checks.

    Recommended actions:

    1. Treat this as a UI defect in the Entra External ID password reset experience and report it through the official support channel for Entra External ID so it can be fixed in the front-end validation logic.
    2. If building a custom password reset experience (for example, using native authentication SDKs), ensure the application performs its own client-side check that the “new password” and “confirm password” fields match before calling the reset API, and then still handle server-side errors such as isInvalidPassword() / isPasswordResetFailed().

    The server-side password evaluation and SSPR flows remain governed by the documented password protection and SSPR rules; this issue is limited to the front-end form not enforcing a match between the two fields before submission.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.