This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 68%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello, Our IAM platform offers our users to change their Azure account password. Our platform uses the C# Graph SDK in order to change the password by authentication using a Service Principal. However, for certain accounts, the action fails with:
Microsoft.Graph.ServiceException: Code: Authorization_RequestDeniedMessage: Insufficient privileges to complete the operation.
Upon finding this page, I realize that our Service Principal would require "Privileged Authentication Administrator" if we would want to be able to change the password of any account in the directory. I am taking a chance here to ask you if there is a possibility to use a custom role instead as "Privileged Authentication Administator" would allow our Service Principal to do more than we would like. Or should I be considering a different approach? Thank you for your time.
You cannot, as there is no possibility to create custom roles that can feature such permissions, currently. And yes, it's unfortunate that you cannot go granular, it's a common feedback for the Graph folks at Microsoft.