In case you have an Azure Active Directory B2C (AAD B2C) with a user flow of type Sign up and sign in (Preview v2 legacy), self-service password reset experience can not be enabled on the user flow. Regardless of this, the Forgot your password? option is shown to the users by the login screen:
But if the user clicks on the Forgot your password? link, he gets redirected back to the application that triggered the sign up and sign in user flow. This behavior is described in the documentation and must be handled correctly.
If the self-service password reset experience isn’t enabled, selecting this link doesn’t automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application must handle this error code by reinitializing the authentication library to authenticate an Azure AD B2C password reset user flow.
Source: Set up a password reset flow – Azure AD B2C | Microsoft Learn
Solution variants
- Replace sign up and sign in user flow of type
Sign up and sign in (Preview v2 legacy)with sign up and sign in user flow of typeSign up and sign in (Recommended)and enable self-service password reset (recommended variant) - Handle redirect with error code
AADB2C90118properly (see here for a possible implementation)
rufers blog 
Leave a Reply