Error while updating the password profile

Laxmi Prasanna 96 Reputation points
2020-02-18T04:48:02.247+00:00

We have been trying to hit an update user api for updating the password profile of a user. We tried to use multiple approaches.

Giving the app required delegated and application permissions as mentioned in the document above. But still we are getting an error "Insufficient privileges to complete the operation." Do we have to add any extra permissions to the Application permissions to make this approach work?
While trying to hit the api from app by giving user's username and password who is a Global Administrator in the body then we are able to reset password of the user. But using the admin's username and password does not lead to any security constraints?
What is the preferred way of reset/change password of user using microsoft graph apis is it the delegation way or the application permission way? We have gone through couple of blogs like https://gcits.com/knowledge-base/automate-api-calls-microsoft-graph-using-powershell-azure-active-directory-applications/, is there anyway to provide consent to application to enable change/reset password via application?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,077 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-02-24T07:23:05.33+00:00

    @Laxmi Prasanna

    If you do not want to provide username and password, you need to use Client_Credentials flow to get an access token in application context. Please refer to screenshot below:
    3292-untitled.png

    Make sure you have assigned "User Administrator" or "Global Administrator" role to the application (whose client ID you have specified in the token request) by using below steps. If this is not done, you are expected to get "Insufficient privileges to do the reset password".

    Navigate to Azure Portal > Azure AD > Roles and administrators > User Administrator > Click on Add Assignments > select the application > click on Add button.

    Note: Once the role is assigned to the application, it might take a few minutes to take effect. I would suggest to wait for10-15 minutes and try to update the password profile afterwards.

    Once you have the token, make below patch call with body: { "passwordProfile": { "password": "Passw0rd33333", "forceChangePasswordNextSignIn": true } } and you should get Statue: 204 as highlighted below. At this point, your password profile should be updated successfully.

    3361-untitled2.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-02-21T14:08:29.777+00:00

    @Laxmi Prasanna If you are updating the password profile of standard users under application context, you need to assign "User Administrator" role to the application.

    Navigate to Azure Portal > Azure AD > Roles and administrators > User Administrator > Click on Add Assignments > select the application > click on Add button.

    Once the role is assigned to the application, it might take a few minutes to take effect. Try to update the password profile after 10-15 minutes.

    Note: User administrator can reset passwords for standard users or limited admins. If you want to reset global admin's password, you need to assign Global Administrator role to the application.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

  2. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-02-18T16:15:50.607+00:00

    @Laxmi Prasanna Please try assigning below delegated permissions to Graph API and grant Admin Consent.

    1. Directory.AccessAsUser.All
    2. Directory.ReadWrite.All
    3. User.ReadWrite.All

    Also take a moment to share your feedback on your previous thread https://learn.microsoft.com/answers/questions/8736/not-able-to-use-the-property-forcechangepasswordne.html if that was helpful.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

  3. TEG 1 Reputation point
    2022-05-13T04:58:51.623+00:00

    @AmanpreetSingh-MSFT

    your post was very helpful. is there also a way to set the password from a secure string ? i have the hash of the password in a csv file. so far i have used the azure ad module for this, which also works:

    Here I convert the password hash to a secure string:
    $SecPaswd = $CSVADUser.newpassword | convertto-securestring

    After that the password is set:
    Set-ADAccountPassword -Reset -NewPassword $SecPaswd -Identity $Name -Server "xy.xy.xy

    The same with Graph:

    $params = @{
    PasswordProfile = @{
    ForceChangePasswordNextSignIn = $false
    Password = $SecuredPassword
    }
    }

    Update-MgUser -UserId $CSVAADUser.UserPrincipalName -BodyParameter $params

    the password from the secure string is not set, but the object name "System.Security.SecureString" is set as password.

    Do you know any way to set secure string as password with graph. Thanks a lot for your help.

    0 comments No comments