Insufficient privileges to complete the operation on updating user password through ROPC user flow

Ganesh Jagdale 66 Reputation points
2022-10-05T11:42:19.573+00:00

Hi All,
I am trying to update ADB2C user's password through ROPC flow. I have give required permission to the application, below are the permission

  1. Directory.ReadWrite.All
  2. Directory.Write.Restricted
  3. User.ReadWrite.All

Below are Delegated permission gives

  1. Directory.AccessAsUser.All
  2. Directory.ReadWrite.All
  3. Directory.Write.Restricted

but still I am getting below error

  {  
    	"error": {  
    		"code": "Authorization_RequestDenied",  
    		"message": "Insufficient privileges to complete the operation.",  
    		"innerError": {  
    			"date": "2022-10-05T11:16:32",  
    			"request-id": "000f2cc3-2edc-4356-8753-f9fa41bf88e6",  
    			"client-request-id": "000f2cc3-2edc-4356-8753-f9fa41bf88e6"  
    		}  
    	}  
    }  

PATCH https://graph.microsoft.com/v1.0/users/<<objectid>>

Here is input payload to update user password
{
"passwordProfile": {
"password": "AVCd2933$^*-wvd",
"forceChangePasswordNextSignIn": false
}
}
Please let me know if any permission I have missed here to update user's password.

Thanks in advance!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,806 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ganesh Jagdale 66 Reputation points
    2022-10-05T14:33:12.743+00:00

    I found answer!! https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga

    [Optional] Grant user administrator role
    If your application or script needs to update users' passwords, you need to assign the User administrator role to your application. The User administrator role has a fixed set of permissions you grant to your application.

    To add the User administrator role, follow these steps:

    Sign in to the Azure portal.
    Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.
    On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
    Search for and select Azure AD B2C.
    Under Manage, select Roles and administrators.
    Select the User administrator role.
    Select Add assignments.
    In the Select text box, enter the name or the ID of the application you registered earlier, for example, managementapp1. When it appears in the search results, select your application.
    Select Add. It might take a few minutes to for the permissions to fully propagate.

    1 person found this answer helpful.
    0 comments No comments

  2. CarlZhao-MSFT 37,706 Reputation points
    2022-10-06T08:20:55.417+00:00

    Hi @Ganesh Jagdale

    It's good to know that you've found the right solution. Yes, you must be a user administrator to update passwords for other users within your tenant, and you don't need the administrator role if you only update your own passwords.

    Also, to avoid ambiguity, I need to add one point: You are using Azure AD-based ROPC flow instead of Azure AD B2C's ROPC user flow to get an access token, graph api does not accept Azure b2c tokens.

    247960-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments