how to reset and change password using microsoft graph api of Azure AD B2C users?

Question

how to reset and change password using microsoft graph api of Azure AD B2C users?

SRI 26

POST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword

POST https://graph.microsoft.com/beta/me/changePassword
POST https://graph.microsoft.com/v1.0/me/changePassword

tried above apis. but all the apis are giving below error

2 answers

Your answer

Answer 1

AmanpreetSingh-MSFT 56,951 Moderator

Hi @SRI · Thank you for reaching out.

In the changePassword call, you need to update the call to either /beta/users/object_id_or_upn_of_user or /beta/me. Reason why you are getting error resource not found is, because you are passing /beta/object_id_of_the_user.

Make sure the token that you are passing in the Authorization Header is acquired under user context and NOT under application context (using client credentials flow).
The token that you are passing in the Authorization Header must be of the same user whose password you are trying to change. You cannot use User1's token to change password of User2.
These calls can only be used for local accounts and NOT for social accounts in B2C tenant, as the passwords for social accounts are stored in their respective IDPs.
Make sure you have provided consent for below delegated permissions:
- Directory.AccessAsUser.All - Required for changePassword
- UserAuthenticationMethod.ReadWrite.All - Required for resetPassword

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

SRI 26 Reputation points

2021-06-23T08:24:22.437+00:00

Hi @AmanpreetSingh-MSFT
Thank you for your response.
UserAuthenticationMethod.ReadWrite.All - Required for resetPassword -- this permissions is provided.

can you give an example or correct api for reset password?
AmanpreetSingh-MSFT 56,951 Reputation points Moderator

2021-06-24T09:58:33.823+00:00

Hi @SRI · Below call works.
Call: POST https://graph.microsoft.com/beta/users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword
Body:
{
"newPassword": "newPasswordvalue",
}

If this doesn't work, try creating new member user and assign with Global Admin rights in your B2C tenant. Don't use guest or signed-up user for this purpose.
Frank Carius 31 Reputation points MVP

2021-07-12T15:54:23.163+00:00

I wrote a Blog article a few weeks ago at (https://www.msxfaq.de/cloud/graph/graph_password.htm) But it is german. So Sorry for that. Maybe Google/Bing Translation might help.
The Code is langauge independend. I got it working for my testlab user "******@msxfaq.net" with the following two powershell lines.
You have to collect the accesstoken first, of course.

First Collect the password Methods.

$passwordmethods = Invoke-RestMethod -Method GET
-Headers @{"Authorization" = "Bearer $($accesstoken)"} -ContentType "application/json"
-URI "https://graph.microsoft.com/beta/users/clouduser1%40msxfaq.net/authentication/passwordMethods"

Invoke-RestMethod -Method POST
-Headers @{"Authorization" = "Bearer $($accesstoken)"} -ContentType "application/json"
-URI "https://graph.microsoft.com/beta/users/clouduser1%40msxfaq.net/authentication/passwordMethods/$($passwordmethods.value.id)/resetPassword" `
-body "{""newPassword"": ""superSecretPasswordHere!""}"

The only issue i have not solved yet: the user has to change it's password at the first logon and i have not found a way to disabled that.
It works with the old GraphAPI at graph.windows.net
Gamer1218 11 Reputation points

2021-07-14T09:46:31.533+00:00

Hi @AmanpreetSingh-MSFT

how to change password for the logged in user using Change Password call?.

Directory.AccessAsUser.All - Required for changePassword - this permission is provided

Calling Change password for Microsoft Graph Api using
Users[User Object Id].ChangePassword(current pswd, new pswd)

the System throws Exception - Access to change password operation is denied.

am i missing something here?

Answer 2

Kim 1

Hi

I have an Azure AD B2C App registration and I want to be able to change passwords for users under that App with the Graph Api.

But I keep getting an exception that the 'Access to change password operation is denied' - I have tried to give the App different roles in the AD (Password and Helpdesk Admin) - but nothing seems to help.

I can not find this permission 'Directory.AccessAsUser.All' - under Graph API and Delegated Permissions I only have "openid" and "offline_access" and I can not find it under Delegated Permissions.

Any clue and help will be much appreciated. :)

Thanks in advance.

AmanpreetSingh-MSFT 56,951 Reputation points Moderator

2021-12-07T08:40:51.047+00:00

@Kim • B2C apps do not support all Graph operations as of now. These permissions will be visible only when the application is registered using one of the below-highlighted options:
Kim 1 Reputation point

2021-12-07T09:01:04.46+00:00

Thanks. I have supported account types "All users" - is that why? Also, when will the graph operations be available for changing passwords?

iliosana-2958 6

@Kim I got it to work by assigning the role 'Password administrator' to my Azure AD B2C app registration and giving the following API permissions: Directory.ReadWrite.All and User.ReadWrite.All (both type: application).

I am updating the password using Graph as follows:

                   User user = new User  
                    {  
                        PasswordProfile = new PasswordProfile  
                        {  
                            ForceChangePasswordNextSignIn = false,  
                            Password = "myNewPassword"  
                        }  
                    };  
  
                    await graphServiceClient.Users[userId].Request().UpdateAsync(user);

Jacek B 26 Reputation points

2022-07-31T22:39:19.237+00:00

Thank you very much!
Worked for me
Sairam Janakiraman 1 Reputation point

2022-11-23T19:23:16.167+00:00

Worked for me as well. This information is really buried, so appreciate the help.

Share via

how to reset and change password using microsoft graph api of Azure AD B2C users?

2 answers

First Collect the password Methods.

Your answer