When using Azure AD B2C with Azure Mobile Apps, how is a password policy set?

Azure AD B2C has separate policies for Registration / Login and Password reset. I am copying the metadata endpoint for the Registration / Login policy

and paste it into Azure app authentication

This basically works, but there is no room for adding reset metadata in the password that have reset password templates. I think that as a result of this, when you click "Forgot Password", you will receive

You do not have permission to view this directory or page.

in ~ / .auth / login / aad / callback when trying to switch to /xxx.onmicrosoft.com/B2C_1_b2c_sign_up_sign_in/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxx&p=B2C_1_b2c_sign_up_sign_up_sign

Why is there no reset / login / password?

In addition, another strange thing is clicking on Create a new account.

If you click Cancel, it will return to the page allowing permission to call back.

I downloaded the policies, and the reset password has the following which is NOT in the sign

<UserJourneys> <UserJourney Id="B2CPasswordResetV1"> <OrchestrationSteps> <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections"> <ClaimsProviderSelections> <ClaimsProviderSelection TargetClaimsExchangeId="PasswordResetUsingEmailAddressExchange" /> </ClaimsProviderSelections> </OrchestrationStep> </OrchestrationSteps> </UserJourney> </UserJourneys> <RelyingParty> <DefaultUserJourney ReferenceId="B2CPasswordResetV1" /> <TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputClaims> <OutputClaim ClaimTypeReferenceId="objectId" /> <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" /> <OutputClaim ClaimTypeReferenceId="emails" /> <OutputClaim ClaimTypeReferenceId="displayName" /> <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty> 

Update. I just found this

When creating a registration or login policy (with local accounts), the consumer will see "Forgot your password?" first page link experience. When you click this link, the reset password does not start automatically. Instead, there is a special error code AADB2C90118. returned to your application. Your application should handle this and trigger a specific reset password. A sample demonstrating this approach to policy consolidation is here.

It looks like it is sending a callback. Thus, it seems that the zumo callback is not able to handle the error. If the zumo callback receives status / code / id_token, then this is done.