We have a Logic App in our tennant which should change a password , It has worked but the last time it gives errors.
In this WorkFlow there is a PATCH request to https://graph.microsoft.com/v1.0/users/@{items('For_each')?['UPNOrObjectId']} where we want to set a (temporary) password via
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "@{body('Parse_TAPData')?['temporaryAccessPass']}"
}
}
The respons is a 403 error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2024-06-07T01:02:28",
"request-id": "4a7a1740-055d-4475-99bf-bf185cc07fe2",
"client-request-id": "4a7a1740-055d-4475-99bf-bf185cc07fe2"
}
}
}
The GET request to https://graph.microsoft.com/beta/users/@{items('For_each')?['UPNOrObjectId']}?$select=id,displayName,givenName,userPrincipalName,mail gives the detials of the user.
Also tested via an alternative REST client (outside AZURE) which gives the same results. We can request the details of a user but get the same 403 error on the PATCH request to set the password.
We checked the application rights for the app registration TAPRegistryReader thats behind the logic app.
According the documentation the passwordprofile call is part of the user entity which needs the following persmission grants:
| Permission type |
Least privileged permissions |
| Delegated (work or school account) |
User.ReadWrite |
| Application |
User.ManageIdentities.All |
source: https://learn.microsoft.com/en-us/graph/api/user-list-oauth2permissiongrants?view=graph-rest-1.0&tabs=http
And even the Higher privileged permissions granted to the application keep giving the same error ("Insufficient privileges to complete the operation")
The application is also added to the role of Password Administrator. (the suggestion in https://learn.microsoft.com/en-us/answers/questions/1603872/what-additional-permission-do-i-need-to-update-a-u for Global Admin look to wide for me, but in the comment the Password Administrator seems right)
Looked also via https://developer.microsoft.com/en-us/graph/graph-explorer and even with alle suggested Permissions granted we get the same error.
Please advise and help to mitigate this isssue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 50%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBE%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 63%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)