Share via

Azure AD B2C: Update password from graph API for specific user

Shailesh Devadiga 41 Reputation points Microsoft Employee
2022-07-15T12:14:56.057+00:00

With the API "UpdateAsync" with the password profile getting the below Exception from .net SDK - tried with
Graph SDK:4.50.0 preview

Error message:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Inner error:
AdditionalData:
date: 2022-07-15T11:57:45
request-id: ec92f840-1637-404d-be7c-15fe4e00c04d
client-request-id: ec92f840-1637-404d-be7c-15fe4e00c04d
ClientRequestId: ec92f840-1637-404d-be7c-15fe4e00c04d

Access provided to GraphClient: UserAuthenticationMethod.ReadWrite.All, User.ReadWrite.All, User.ReadWrite.All
Sample tested code:
var user = new User
{
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = false,
Password = "********"
}
}; 

            await graphClient.Users[identifier]  
                .Request()  
                .UpdateAsync(user);

Do we have any API or planning to have any to update the User's password forcefully without knowing the current password?
This will be in Azure AD B2C (With Application-level access)

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,192 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,734 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 39,181 Reputation points
    2022-07-18T09:13:46.367+00:00

    Hi @Shailesh Devadiga

    Azure AD B2C users authenticated using user flow/custom policy do not support changing user passwords using graph api, you can only use password policies to change or reset user passwords.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shailesh Devadiga 41 Reputation points Microsoft Employee
    2022-07-18T06:00:03.217+00:00

    Hi @Bedroom Zhao_MSFT, I have tried out the same to test it in B2C with delegated permissions and user credential, but i could not update it as i am getting the below exception:

    Message: An error occurred sending the request.

    ---> Azure.Identity.AuthenticationFailedException: UsernamePasswordCredential authentication failed: Unsupported User Type 'Unknown'. Please see https://aka.ms/msal-net-up.
    See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot
    ---> MSAL.NetCore.4.44.0.0.MsalClientException:
    ErrorCode: unknown_user_type
    Microsoft.Identity.Client.MsalClientException: Unsupported User Type 'Unknown'. Please see https://aka.ms/msal-net-up.

    1 person found this answer helpful.
  2. CarlZhao-MSFT 39,181 Reputation points
    2022-07-15T15:53:40.753+00:00

    Hi @Shailesh Devadiga

    I noticed that the official documentation was just updated yesterday. In fact, before the documentation was updated, it was not supported to update user passwords with application permissions. Although the documentation now provides application permissions for updating passwords, since it was just updated, so I'm not sure if this feature has been fully implemented yet.

    For now, I still recommend that you use the Directory.AccessAsUser.All delegate permissions to update user passwords. By the way, you must have at least the User Administrator role to be able to change other users' passwords.

    Please refer to the complete code: 

     using Microsoft.Graph;  
 using Azure.Identity;  
      
 namespace test1  
      
 {  
     class Program  
     {  
         static async System.Threading.Tasks.Task Main(string[] args)  
      
         {  
      
             var scopes = new[] { "Directory.AccessAsUser.All" };  
      
             // Multi-tenant apps can use "common",  
             // single-tenant apps must use the tenant ID from the Azure portal  
             var tenantId = "b2c tenant id";  
      
             // Value from app registration  
             var clientId = "b2c app client id";  
      
      
             // using Azure.Identity;  
             var options = new TokenCredentialOptions  
             {  
                 AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
             };  
      
             var userName = "b2c user name";  
             var password = "password";  
          
             // https://learn.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential  
             var userNamePasswordCredential = new UsernamePasswordCredential(  
                 userName, password, tenantId, clientId, options);  
      
             var graphClient = new GraphServiceClient(userNamePasswordCredential, scopes);  
      
             var user = new User  
             {  
                 PasswordProfile = new PasswordProfile  
                 {  
                     ForceChangePasswordNextSignIn = false,  
                     Password = "xWwvJ]6NMw+bWH-d"  
                 }  
             };  
      
             await graphClient.Users["user id"]  
                 .Request()  
                 .UpdateAsync(user);  
      
         }  
     }  
 }

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
  3. Shailesh Devadiga 41 Reputation points Microsoft Employee
    2022-07-18T04:41:15.433+00:00

    Hello @Bedroom Zhao_MSFT, Thanks for the input.

    We are currently creating the graph client instance using Client secret 

            **var clientSecretCredential = new ClientSecretCredential(tenantId, appID, clientSecret, options);**

    We are calling this custom API from the B2C custom policy, so it may not be appropriate to use any specific user credential to modify the other user credential, correct me if i am wrong.

    Is there any way with Application-level access modify the other user's credential?

    1 person found this answer helpful.