Authorization_RequestDenied - Insufficient privileges to complete the operation while updating user password using Graph API

Question

I have a unique requirement to update the user passwords using Graph API. But, I have been getting Authorization_RequestDenied error.

{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-10-06T22:45:14","request-id":"","client-request-id":""}}}  

Below is my code:

public async Task UpdatePassword()  
{  
 Microsoft.Identity.Client.IConfidentialClientApplication confidentialClientApplication = Microsoft.Identity.Client.ConfidentialClientApplicationBuilder  
              .Create("ClientId")  
              .WithClientSecret("ClientSecret")  
              .WithTenantId("TenantId")  
              .Build();  
            Microsoft.Graph.Auth.ClientCredentialProvider authProvider = new Microsoft.Graph.Auth.ClientCredentialProvider(confidentialClientApplication);  

            Microsoft.Graph.GraphServiceClient graphClient = new Microsoft.Graph.GraphServiceClient(authProvider);  

            var newPassword = "NewComplexP@ss";  

            var user = new Microsoft.Graph.User  
            {   
                PasswordProfile = new Microsoft.Graph.PasswordProfile  
                {  
                    Password = newPassword,  
                    ForceChangePasswordNextSignIn = false  
                }   
            };  

            await graphClient    
               .Users["a4e3f2ce-054e-43e4-bbfd-547c44582a7"]  
               .Request()  
               .UpdateAsync(user);  
}  

I have permissions added like below in Azure AdB2c.

My question: despite adding all the permissions and using correct code(I assume) I am getting Authorization_RequestDenied error.

Am I missing anything? I highly appreciate any help.

Answer 1

Are you perhaps trying to change the password of a privileged (admin) user? As noted in the documentation, you need to have specific roles assigned to change password (and some other properties) of admin users:

For delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles:

Global Administrator
Privileged Authentication Administrator
Authentication Administrator

And also:

Updating another user's sensitive properties like businessPhones, mobilePhone, or otherMails is not allowed on users who are assigned an administrator role or who are members of a role-assignable group, even when the app is granted the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions. For more information about who can update sensitive properties or reset passwords, see Authorization and privileges.

More detail here: https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0

Answer 2

Hi @Sachin

ChangePassword Graph API supports Delegated permissions only. As of now, it doesn't work with Application Permissions.

As per this API, any user can update their password without belonging to any administrator role.

Refer this documentation.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

Answer 3

To make it work you need your App added to one of these roles

• Global administrator
• Privileged authentication administrator
• Authentication administrator

Next, modify your permissions. We'll use UserAuthenticationMethod.ReadWrite.All for this tutorial, so make sure it's enabled in Graph Explorer or your app.