I'm using the Graph API and wish to change user password via application permissions.
Via this API https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
This is my request for changing passwordProfile:
body = {
"passwordProfile":
{
"forceChangePasswordNextSignIn": force_change_password_next_sign_in,
"forceChangePasswordNextSignInWithMfa": force_change_password_with_mfa,
"password": password
}
}
self.client.http_request(
method='PATCH',
url_suffix=f'users/{quote(user)}',
json_data=body,
resp_type="text")
I keep getting a HTTP/403 Unauthorised response.
The permissions which have been given to my app are:
User.ReadWrite.All (application)
Directory.Read.All (delegated)
Directory.AccessAsUser.All (delegated)
Even though the documentation says it requires one of the permissions, it fails with each, so added them all for testing and it still returns a 403.
Error in API call [403] - Forbidden
{"error": {"code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": {"date": "2023-06-16T10:58:16", "request-id": "aae9abba-872b-4792-89d7-0e58e0271fb9", "client-request-id": "aae9abba-872b-4792-89d7-0e58e0271fb9"}}}
The calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user.
When assigning Global Administrator role (as Active assignments) it works, changing the password without an error.
We don't want to give our users this role to change their passwords.
Is there another way?