Unable to change user password via Graph API

itay4 36 Reputation points
2023-06-22T15:22:55.38+00:00

I'm using the Graph API and wish to change user password via application permissions.

Via this API https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

This is my request for changing passwordProfile:

body = {
    "passwordProfile":
        {
            "forceChangePasswordNextSignIn": force_change_password_next_sign_in,
            "forceChangePasswordNextSignInWithMfa": force_change_password_with_mfa,
            "password": password
        }
}
self.client.http_request(
    method='PATCH',
    url_suffix=f'users/{quote(user)}',
    json_data=body,
    resp_type="text")

I keep getting a HTTP/403 Unauthorised response.

The permissions which have been given to my app are:

User.ReadWrite.All (application)
Directory.Read.All (delegated)
Directory.AccessAsUser.All (delegated)

Even though the documentation says it requires one of the permissions, it fails with each, so added them all for testing and it still returns a 403.

Error in API call [403] - Forbidden
{"error": {"code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": {"date": "2023-06-16T10:58:16", "request-id": "aae9abba-872b-4792-89d7-0e58e0271fb9", "client-request-id": "aae9abba-872b-4792-89d7-0e58e0271fb9"}}}

The calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user.

When assigning Global Administrator role (as Active assignments) it works, changing the password without an error.

We don't want to give our users this role to change their passwords.

Is there another way?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,973 questions
{count} votes

Accepted answer
  1. Vasil Michev 112.1K Reputation points MVP
    2023-06-22T17:53:03.5866667+00:00

    You're missing the other bit mentioned in the same documentation article, namely:

    and the calling user must have a higher privileged administrator role as indicated in Who can perform sensitive actions.

    As mentioned in the lined article, in order to change the password for another admin user, you need additional permissions: Auth Admin, Privileged Auth Admin or Global Admin, depending on the target user's role. There's no going around this.

    If you are changing the password of a "regular" user, the requirements are more relaxed.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.