Share via

Using Graph API in a Multi-Tenant Enterprise Application for User Password Management

MP732 40 Reputation points
2024-10-17T13:28:54.0833333+00:00

Is it possible to handle user password management using the Graph API in a multi-tenant enterprise application? Currently, setting the user's password profile with ForceChangePasswordNextSignIn set to true works fine, but I encounter permission issues when attempting to generate a temporary password for the user to use at their next sign-in. The error returned is:
"Authorization_RequestDenied: Insufficient privileges to complete the operation."

I have increased the application permissions to Directory.ReadWrite.All and had a test tenant account grant application permissions to see if this level would suffice, but it was still insufficient.

Can a multi-tenant application effectively set passwords for users across different tenants?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Answer accepted by question author
  1. Vasil Michev 125.2K Reputation points MVP Volunteer Moderator
    2024-10-17T16:17:57.3233333+00:00

    You can, but there are requirements for that as detailed for example here: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#example-3-update-the-passwordprofile-of-a-user-and-reset-their-password

    In addition, changing the password on a privileged user requires the Privileged Authentication Admin role to be assigned to the service principal in the resource tenant.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.