Change password Graph api gives Invalid x5t claim.

T Giri 6 Reputation points
2022-02-14T10:06:18.82+00:00

I'm trying to use change password graph API to change the password for the b2c login user but getting Invalid x5t claim error message

here are the postman screen,

174010-image.png

in this authentication is done using b2c bearer token which we get during login.

I did some initial search and found that the token needs to have audience/scope for graph URL so I tried to create token using all login and client, app secret but it also failed with error - AADSTS50056: Invalid or missing password: password does not exist in the directory for this user
here its the postman screen

174113-image.png

response :

{  
    "error": "invalid_grant",  
    "error_description": "AADSTS50056: Invalid or missing password: password does not exist in the directory for this user.\r\nTrace ID: 6426d233-66e0-4dec-85aa-8a71700\r\nCorrelation ID: b329595f-4c94-90d8-90a7a96fa8b2\r\nTimestamp: 2022-02-14 07:38:03Z",  
    "error_codes": [  
        50056  
    ],  
    "timestamp": "2022-02-14 07:38:03Z",  
    "trace_id": "6426d23ec-85aa-8d6382a71700",  
    "correlation_id": "b329595f-b94-90d8-90a7a96fa8b2",  
    "error_uri": "https://login.microsoftonline.com/error?code=50056"  
}  

do I'm doing some wrong, or I need any more permission from azure admin, and if I need permission then which are the permission I need to request.

thanks!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,018 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,877 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2022-02-14T10:50:32.857+00:00

    Hi @T Giri • Thank you for reaching out.

    Yes, the audience claim in the token must match with the API that is consuming the token. You can use https://jwt.ms to decode the token that you are passing in the Authorization header of your first call and confirm if it is https://graph.microsoft.com

    For the error AADSTS50056: Invalid or missing password: password does not exist in the directory for this user, there can be 2 reasons:

    1. The password that you have provided in the body of your token acquisition call is a temporary password. Temp password is marked as expired and postman doesn't provide an option for you to reset that. If it is a temp password, please try to sign-in to portal.azure.com or portal.office.com and set a permanent password for the user account you are using.
    2. The user account you are using is a federated account and is not synced to the Azure AD. In that case, please follow the instruction I have provided in my blog post here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d

    Feel free to tag me in your reply if you have any further question.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.