[PowerShell/Microsoft.Graph] Reset User Password

Question

[PowerShell/Microsoft.Graph] Reset User Password

Kevin Nguyen 101

Hi, I'm trying to reset an user password with powershell using the Microsoft Graph Module.

I'm connecting to the graph with this cmd, with all the Certificate stuff :

Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $certThumbprint

Following this article https://mikecrowley.us/2022/03/24/resetting-azure-ad-user-passwords-with-microsoft-graph-powershell/, I tried to use the cmdlet : Reset-MgUserAuthenticationMethodPassword

Unfortunately the error is

From other questions, such as : resetting-a-users-password or how-to-update-the-password-of-user-in-azure-ad-using-graph-api, I should give the permission : Directory.AccessAsUser.All and use the cmdlet Update-MgUser but I still got an error :

Here are my permissions :

And here are the Permission/Scopes from the context :

![227675-screenshot-4.png ]7

Am I missing something ?

Thanks.

Accepted answer

0 additional answers

Your answer

Answer 1

Vasil Michev 119.5K MVP Volunteer Moderator

Directory.AccessAsUser.All is a delegate permission, it requires you to connect in the user context, whereas your Connect-MgGraph cmdlet uses CBA/application login. This is also the reason why you don't see the Directory.AccessAsUser.All scope listed in the output of Get-MgContext.

Application permissions are not supported for the password reset operation, as mentioned in the official documentation. So, connect in the user context, with an user that has sufficient permissions, and the query should work fine.

Kevin Nguyen 101 Reputation points

2022-08-03T15:19:37.1+00:00

I get the 1rst part but not the 2nd part.

In Azure AD roles, I'm in Users administrator and Global administrator roles. So I should have sufficent permissions to reset a password.

Since I'm connecting with the certificat configuration, how can I connect in the user context (User who will get password reset?)?

Is it related to this article : howto-add-app-roles-in-azure-ad-apps
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2022-08-03T15:41:49.48+00:00

The thing is, you're not connecting as a user, so your Azure AD roles do not matter. When you are providing a certificate to connect, you're connecting as an application (the one you provide the id for via the -ClientId $clientId parameter). Generally speaking, admin roles can be assigned in this scenario too, however for this specific operation, this will not work. As noted in the documentation article I linked to above, application permissions will not work here.

Connect via Connect-MgGraph (no parameters) and provide your userID/credentials, then run the cmdlet.
Kevin Nguyen 101 Reputation points

2022-08-03T17:23:56.7+00:00

Nice, it works fine now.

I use the app to avoid the credential form on browser which appear when using Connect-MgGraph without parameters.
Is there to avoid it ? Since there is no -Credential parameter for Connect-MgGraph
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2022-08-03T18:22:24.143+00:00

The module will cache the refresh token and reuse it on new sessions, so you can use Connect-MgGraph to connect directly next time you open it (no parameters and no prompt needed). At least until the token expires or you manually run Disconnect-MgGraph.

Share via

[PowerShell/Microsoft.Graph] Reset User Password

0 additional answers

Your answer