Hi Batman,
Thank you for posting in the Q&A Forums.
- Understanding the role of the hint parameter
The hint parameter is designed by Azure AD B2C for user experience purposes and allows the user's identifier (e.g., username or email) to be pre-populated via a URL before the user begins the password reset process. However, this can also pose a security risk as it may reveal the user's personal information.
- Customizing the password reset policy
To remove the hint parameter, you need to customize the password reset policy for Azure AD B2C. This usually involves modifying or creating custom User Journeys and Technical Profiles. However, removing the hint parameter from the URL directly through the Azure AD B2C configuration interface or policy file may not be directly supported.
- Modifying the password reset link
A more practical approach is to control the process of generating password reset links. Make sure that you do not include the hint parameter when generating these links. This is usually done on the back end of your application or web service, where you can adjust the logic to exclude this parameter.
- Use security best practices
Minimize information leakage: Ensure that the principle of least privilege is followed in any part of your application and that only necessary user information is requested and transmitted.
Use HTTPS: Ensure that all communication with Azure AD B2C is done over HTTPS to protect the confidentiality and integrity of data.
User education: Educate users not to share password reset links or any URLs containing personal information with untrusted third parties.
Best regards
NeuviJ
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.