Azure Reset Password using Graph API

Lionell Libarios (ext) 1 Reputation point
2022-01-25T19:50:23.79+00:00

Is it possible to reset a user password using the GraphAPI on Azure Logic apps using Managed Identity?
passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn

I'm currently testing it and the response is:

{\"error\":{\"code\":\"BadRequest\",\"message\":\"UserPrincipalName value in token was missing or invalid\"
Which confirms the docs page I guess.

Are there any plans to expand these permissions so it is possible to reset the password programmatically using application permissions?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,665 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,581 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JanardhanaVedham-MSFT 3,536 Reputation points
    2022-01-26T03:58:35.107+00:00

    Hi @LionellLibariosext-1998 ,

    As mentioned in the documentation, currently reset password is only supported with delegated permissions scope. Also, only an administrator with the appropriate permissions can perform this operation and it cannot be performed on a user's own account. Please note that UserAuthenticationMethod.ReadWrite.All delegated permissions must be granted for the APP that is registered in Azure AD. As you can see below, I have tested this reset password API in Postman API tool using delegated scope and the succesful response is being generated. You can also refer Calling Graph API from Azure Logic Apps using delegated permissions documentation for more information.

    168553-image.png 

    POST https://graph.microsoft.com/beta/users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword

    Important Note : APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

    Example Output in Postman API tool:

    168530-ms-graph-users-api-password-reset.jpg

    Hope this helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have any further questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments
  2. CarlZhao-MSFT 37,216 Reputation points
    2022-01-26T06:21:31.55+00:00

    Hi @LionellLibariosext-1998

    Currently, using application permissions to reset user passwords is not supported. But if you can grant your application the User Administrator role, then we can still reset the password using only the application principal. It supports obtaining tokens silently using the client credential flow, which is useful for unattended scenarios.

    We can achieve this using MSOL PowerShell.

    Install Module: 

    Install-Module -Name MSOnline

    Import Module: 

    Import-Module MSOnline

    Connect the service and log in with your global administrator: 

    Connect-MsolService

    Add the Role: 

    $tenantID = “{tenant id}”  
$appID = “{client id}”  
$myAp = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantID  
$objectId = $myAp.ObjectId  
Add-MsolRoleMember -RoleName “User Administrator” -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

    Next use the client credentials flow to get the token and call the update user API to reset the password.

    168537-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.