question

LaxmiPrasanna-3771 avatar image
0 Votes"
LaxmiPrasanna-3771 asked TEG-8533 answered

Error while updating the password profile

We have been trying to hit an update user api for updating the password profile of a user. We tried to use multiple approaches.

Giving the app required delegated and application permissions as mentioned in the document above. But still we are getting an error "Insufficient privileges to complete the operation." Do we have to add any extra permissions to the Application permissions to make this approach work?
While trying to hit the api from app by giving user's username and password who is a Global Administrator in the body then we are able to reset password of the user. But using the admin's username and password does not lead to any security constraints?
What is the preferred way of reset/change password of user using microsoft graph apis is it the delegation way or the application permission way? We have gone through couple of blogs like https://gcits.com/knowledge-base/automate-api-calls-microsoft-graph-using-powershell-azure-active-directory-applications/, is there anyway to provide consent to application to enable change/reset password via application?

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft , I have a small question regarding the update of password profile, using the above permissions we are not able to update password of an Application administrator. Is it an expected things regarding any security constraints or do we have to have any extra roles to the application to do "Reset Password" and "Change Password". Can you provide any docs which refers to this. It would be very helpful. I tried giving application administrator and global administrator role to the application as well but no luck, I am not able to change password of an application administrator.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered AnburajGanesan-2487 commented

@LaxmiPrasanna-3771

If you do not want to provide username and password, you need to use Client_Credentials flow to get an access token in application context. Please refer to screenshot below:
3292-untitled.png

Make sure you have assigned "User Administrator" or "Global Administrator" role to the application (whose client ID you have specified in the token request) by using below steps. If this is not done, you are expected to get "Insufficient privileges to do the reset password".

Navigate to Azure Portal > Azure AD > Roles and administrators > User Administrator > Click on Add Assignments > select the application > click on Add button.

Note: Once the role is assigned to the application, it might take a few minutes to take effect. I would suggest to wait for10-15 minutes and try to update the password profile afterwards.

Once you have the token, make below patch call with body: { "passwordProfile": { "password": "Passw0rd33333", "forceChangePasswordNextSignIn": true } } and you should get Statue: 204 as highlighted below. At this point, your password profile should be updated successfully.

3361-untitled2.png




Please "Accept as answer" wherever the information provided helps you to help others in the community.


untitled.png (19.0 KiB)
untitled2.png (27.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft thank you this was really helpful. We were able to solve our issue. Can you also reply on the below threads it would be really helpful

https://docs.microsoft.com/answers/questions/9942/do-we-have-any-microsoft-graph-api-to-change-the-p.html
https://docs.microsoft.com/answers/questions/8883/do-we-have-any-apis-to-know-the-lock-state-of-the.html -- any apis to get the smart lockout state of the user?

0 Votes 0 ·

It executed without an error and status code was 204 but password is not set to the user

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered LaxmiPrasanna-3771 commented

@LaxmiPrasanna-3771 Please try assigning below delegated permissions to Graph API and grant Admin Consent.

  1. Directory.AccessAsUser.All

  2. Directory.ReadWrite.All

  3. User.ReadWrite.All

Also take a moment to share your feedback on your previous thread https://docs.microsoft.com/answers/questions/8736/not-able-to-use-the-property-forcechangepasswordne.html if that was helpful.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft we have already gave the delegated permissions to microsoft graph API. I am attaching screenshot for the reference. But still we were getting that error. 3221-screen-shot-2020-02-20-at-40321-pm.png


0 Votes 0 ·

Can someone please guide us on this, it would be very helpful.

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered LaxmiPrasanna-3771 commented

@LaxmiPrasanna-3771 If you are updating the password profile of standard users under application context, you need to assign "User Administrator" role to the application.

Navigate to Azure Portal > Azure AD > Roles and administrators > User Administrator > Click on Add Assignments > select the application > click on Add button.

Once the role is assigned to the application, it might take a few minutes to take effect. Try to update the password profile after 10-15 minutes.

Note: User administrator can reset passwords for standard users or limited admins. If you want to reset global admin's password, you need to assign Global Administrator role to the application.


Please "Accept as answer" wherever the information provided helps you to help others in the community.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft We are trying to do postman call to the apis, while getting the access token it is asking for username and password as parameters while using the below headers (attached screenshot below), and if we give username and password then it is working properly. But is there any other way where we are not providing credentials and still resetting password works.


3341-screen-shot-2020-02-24-at-121804-pm.png


If username is not mentioned then we are getting the error below


3351-screen-shot-2020-02-24-at-122013-pm.png


0 Votes 0 ·

@amanpreetsingh-msft our main concern is there any other way where we should not provide username and password of the user during generating access token for resetting password? We found another method and it tells to give grant_type as client_credentials in the body but when we are using the generated access token then it is saying "Insufficient privileges to do the reset password" so that is the reason we were using grant_type as password. If we have any other way then it would be very helpful.


0 Votes 0 ·
TEG-8533 avatar image
0 Votes"
TEG-8533 answered

@amanpreetsingh-msft

your post was very helpful. is there also a way to set the password from a secure string ? i have the hash of the password in a csv file. so far i have used the azure ad module for this, which also works:

Here I convert the password hash to a secure string:
$SecPaswd = $CSVADUser.newpassword | convertto-securestring

After that the password is set:
Set-ADAccountPassword -Reset -NewPassword $SecPaswd -Identity $Name -Server "xy.xy.xy

The same with Graph:

$params = @{
PasswordProfile = @{
ForceChangePasswordNextSignIn = $false
Password = $SecuredPassword
}
}

Update-MgUser -UserId $CSVAADUser.UserPrincipalName -BodyParameter $params

the password from the secure string is not set, but the object name "System.Security.SecureString" is set as password.

Do you know any way to set secure string as password with graph. Thanks a lot for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.