Updating 'passwordProfile' via GraphAPI results in Session Revocation

Tobias Schmidt 81 Reputation points
2022-10-17T08:58:54+00:00

If I update a user's passwordProfile via PATCH on /users/<objectId> as an User Administrator, all sessions for the user are automatically revoked as

  • refreshTokensValidFromDateTime and
  • signInSessionsValidFromDateTime are set to the current timestamp.

Is there any way to disable this default behavior?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,580 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,666 Reputation points Microsoft Employee
    2022-11-02T19:22:31.663+00:00

    @Tobias Schmidt
    Thank you for your time and patience and for following up on this!

    I changed my user's password using the below PATCH and ran into the same issue that you're experiencing.

    Update the passwordProfile of a user to reset their password:

    PATCH https://graph.microsoft.com/v1.0/users/{id}  
    Content-type: application/json  
      
    {  
      "passwordProfile": {  
        "forceChangePasswordNextSignIn": false,  
        "password": "testPassword001"  
      }  
    }  
    

    Initially when I changed my user's password, my session was expired almost immediately. However, to confirm the session expiration was from the password reset, I re-ran the same PATCH with a new password and didn't notice the session expire for about 1-2minutes.
    256520-image.png

    I've reached out to our engineering team with this info and will update as soon as possible.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.

  2. DADDY MUNDELE 6 Reputation points
    2022-10-17T09:20:27.9+00:00

    using Microsoft.Graph;
    using Azure.Identity;

    namespace test1

    {
    class Program
    {
    static async System.Threading.Tasks.Task Main(string[] args)

          {  
          
              var scopes = new[] { "Directory.AccessAsUser.All" };  
          
              // Multi-tenant apps can use "common",  
              // single-tenant apps must use the tenant ID from the Azure portal  
              var tenantId = "b2c tenant id";  
          
              // Value from app registration  
              var clientId = "b2c app client id";  
          
          
              // using Azure.Identity;  
              var options = new TokenCredentialOptions  
              {  
                  AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
              };  
          
              var userName = "b2c user name";  
              var password = "password";  
              
              // https://learn.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential  
              var userNamePasswordCredential = new UsernamePasswordCredential(  
                  userName, password, tenantId, clientId, options);  
          
              var graphClient = new GraphServiceClient(userNamePasswordCredential, scopes);  
          
              var user = new User  
              {  
                  PasswordProfile = new PasswordProfile  
                  {  
                      ForceChangePasswordNextSignIn = false,  
                      Password = "xWwvJ]6NMw+bWH-d"  
                  }  
              };  
          
              await graphClient.Users["user id"]  
                  .Request()  
                  .UpdateAsync(user);  
          
          }  
      }  
    

    }


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.