Authorization_RequestDenied - Access to change password operation is denied.

Sachin 1 Reputation point
2022-10-17T20:00:04.093+00:00

Hi,

I am writing an API for user to reset self password. User is logged in an web application which calls MS Graph API.

While trying to self update password(I need to verify the current password too), I am getting below error: 

code":"Authorization_RequestDenied","message":"Access to change password operation is denied."

Below is my code: 

 private static async Task UpdatePassword(string clientId, string clientSecret, string tenantId)  
    {  
        try  
        {   
            var scopes = new string[] { "https://graph.microsoft.com/.default" };  
  
            // Configure the MSAL client as a confidential client  
            var confidentialClient = ConfidentialClientApplicationBuilder  
                .Create(clientId)  
                .WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")  
                .WithClientSecret(clientSecret)  
                .Build();  
  
             
            GraphServiceClient graphServiceClient =  
                new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>  
                {  
  
                // Retrieve an access token for Microsoft Graph (gets a fresh token if needed).  
                    var authResult = await confidentialClient  
                .AcquireTokenForClient(scopes)  
                .ExecuteAsync();  
  
                // Add the access token in the Authorization header of the API request.  
                    requestMessage.Headers.Authorization =  
                new AuthenticationHeaderValue("Bearer", authResult.AccessToken);  
                })  
                );   
  
            await graphServiceClient.Users["9c704dfb-a3ea-528a-937c-d7da45ebcc7a"]  
                .ChangePassword("OldPassword", "NewPassword").Request().PostAsync();   
  
        }catch(Exception e)  
        {   
        }  
    }

I also saw /me endpoints but did not understand how to make that work in my scenario.

I appreciate any help, Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,592 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,247 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,472 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhanu Kiran 3,526 Reputation points
    2022-10-18T06:27:48.89+00:00

    Hi @Sachin ,

    Please note, the operation cannot be performed on a user's own account. Only an administrator with the appropriate permissions can perform this operation.

    Please refer to this post for additional information.

    Hope this helps,
    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments
  2. CarlZhao-MSFT 36,896 Reputation points
    2022-10-18T07:17:06.127+00:00

    Hi @Sachin

    Your code is trying to update another user's password and not the user's own password, you should call the /me endpoint to reset the self password for the user. Please refer to my complete code: 

    using Azure.Identity;  
using Microsoft.Graph;  
  
var scopes = new[] { "Directory.AccessAsUser.All" };  
var tenantId = "{tenant id}";  
var clientId = "{client id}";  
var clientSecret = "{client secret}";  
  
// For authorization code flow, the user signs into the Microsoft  
// identity platform, and the browser is redirected back to your app  
// with an authorization code in the query parameters  
var authorizationCode = "authorization code";  
  
// using Azure.Identity;  
var options = new TokenCredentialOptions  
{  
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
};  
  
// https://learn.microsoft.com/dotnet/api/azure.identity.authorizationcodecredential  
var authCodeCredential = new AuthorizationCodeCredential(  
    tenantId, clientId, clientSecret, authorizationCode, options);  
  
var graphClient = new GraphServiceClient(authCodeCredential, scopes);  
  
var currentPassword = "OldPassword";  
  
var newPassword = "NewPassword";  
  
await graphClient.Me  
    .ChangePassword(currentPassword, newPassword)  
    .Request()  
    .PostAsync();

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.