Reset password for social account gives "your account has been locked"

[mnemitz]

Our team is building custom policies based on the SocialAndLocalAccounts starter pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccounts

Currently with the PasswordReset user journey here, if a user signs up with social (i.e. Facebook), then later tries to reset their password using the email associated with that account, they will get an error saying "Your account has been locked".

The preferable behaviour would be a more specific error message explaining that the email is associated with a social IDP as opposed to a local account. How can this best be achieved?

[mnemitz]

Just an update on this: It appears this error is coming from the TechnicalProfile AAD-UserReadUsingEmailAddress, which has the following OutputClaimsTransformation checking if accountEnabled is true:

AAD-UserReadUsingEmailAddress

In our B2C tenant, it appears that SSO users are being created with accountEnabled: false, while local accounts have accountEnabled: true. This is what causes the error message.

Currently investigating ways to improve the user journey based on this information. Our custom policies are based primarily on these samples, so if we come up with a fix, I will make a PR.