Does azure AD support password change of on-premise AD users(on premise AD synced with azure AD) through graph apis without asking the user to change the password On next logon?

Question

Use case - azure ad is synced with on prem ad via azure ad connect

Password rightback is enabled for the same

How should I do the password change of an on prem ad user using graph apis?

for reference I was following these documents for password change of on prem ad user synced with azure ad

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

When I am trying to hit /reset password api , its shows access denied- user is not allowed to use this resource.

Also, i am using service principal in this process, which has authentication administrator and global administrator rights

No sufficient documentation is available for the above use case?

If the above use case is achievable- request the team to share a sample documentation for graph apis token generation and password change /reset process ?

Answer 1

@Pranay Bhatia

PFB the steps we followed to run this:

• Enable Password Writeback and enabled the following permissions:

• Resetting On-Prem Password policy.
• Get Access Token by running Auth Code Grant via Postman :

• Fetching the access token after logging in with Password administrator account.
• As mentioned in the documentation, currently reset password is only supported with delegated permissions scope. Also, only an administrator with the appropriate permissions can perform this operation and it cannot be performed on a user's own account. Please note that UserAuthenticationMethod.ReadWrite.All delegated permissions must be granted for the APP that is registered in Azure AD. As you can see below, I have tested this reset password API in Postman API tool using delegated scope and the succesful response is being generated. You can also refer Calling Graph API from Azure Logic Apps using delegated permissions documentation for more information.

   POST https://graph.microsoft.com/beta/users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword  

Important Note : APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. Example Output in Postman API tool:

• The password request went successful.
• Kindly wait for an hour for on-prem changes to replicate and try logging in with new password.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Answer 2

Hi @Pranay Bhatia

If writeback is enabled , in this case reset passowrd through Microsoft Graph API is not supported as mentioned in the Microsoft article below :

Unsupported writeback operations

Please don't forget to mark helpful answer as accepted

Answer 3

@Pranay Bhatia Thank you for reaching out to us and providing the detailed description of the issue,

Regarding your ask - Does Azure AD support password change of on-premises AD users(on premise AD synced with azure AD) through graph API without asking the user to change the password On next logon?   

Researched on the same, refer to this article - authenticationMethod: resetPassword - Microsoft Graph v1.0 | Microsoft Learn which has the steps on how to achieve. 

Reference:

Update-MgGraph new passwords not writing back - Microsoft Q&A

Error while updating the password profile - Microsoft Q&A

Let me know if you have any further questions, feel free to post back.