Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Resetting a user's password

Tags:

azure-ad-graph-api

microsoft-graph-api

I am trying to find a solution for resetting user's passwords (all users, not just the authenticated user) in Azure Active directory via a non-interactive login.

Right now it seems this is only available via powershell's MSOnline Set-AzureADUserPassword cmdlet using a Service Principal login.

I'd like to find a solution using an API Endpoint so I can use C#. The closest solutions I've found was Microsoft Graph API but after setting it up, I realized I can only reset the passwords via an interactive login and consent flow. It's not allowed via non-interactive.

My next attempt is to use Azure AD endpoint but my concern is I am seeing the same message that recommends that we use the Microsoft graph API. Does this means azure ad endpoint will be going away?

Is there a recommended approach without using PowerShell?

like image 758
TheWebGuy Avatar asked Sep 06 '17 14:09

TheWebGuy

People also ask

What happens after you reset a user's password?

Resetting a locked-out user's password automatically unlocks the user's account. When a user loses a password, they can click the forgot password link on the login page to receive an email with steps to reset it. The user must answer the security question correctly to reset the password.

1 Answers

You could update user's passwordProfile property to reset user's password :

PATCH https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}
Content-type: application/json
Authorization: bearer TOKEN

{
     "passwordProfile":
    {
      "forceChangePasswordNextSignIn":false,
      "password": "XXXXXXXXX"
    }

}

As explanation in document :

When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.

Then you could use Resource Owner Flow as the requirement needs non-interactive login . To enable Directory.AccessAsUser.All delegate permission, you should :

  1. Add Microsoft Graph's Access directory as the signed in user permission in Required permissions blade of your Azure AD app : enter image description here

  2. That permission needs admin consent , please click Grant Permissions button with your admin account .

Then you could use Resource Owner Flow to acquire access token for Microsoft Graph , Directory.AccessAsUser.All permission allows an Admin to change another user's password in your tenant .

Does this means azure ad endpoint will be going away?

Currently , Microsoft Graph supports most of the directory features that Azure AD Graph supports, but not all. Please refer to Gaps between Microsoft Graph and Azure AD Graph

like image 88
Nan Yu Avatar answered Nov 02 '22 03:11

Nan Yu
Sign in to Comment

Related questions

MS Graph - 401 Unauthorized seemingly with proper token and access
Microsoft Graph API OrganizationFromTenantGuidNotFound using MSAL
Microsoft Graph - Email Delivery Failure when using sendMail API
Minimum set of permissions required for checkMemberGroups Graph API in Azure
MicrosoftGraph on Enterprise Exchange Server [duplicate]
Filtering users by companyName
How to filter group members in Microsoft graph API?
Is there a Microsoft Graph MS Word API?
Where can I find APP ID URI for Microsoft App?
How to identify if a OneDrive DriveItem permission identity is a group or a user
Microsoft graph : Updating a document with a Put request Java
Access token validation failure. Invalid audience
Error when createUploadSession on OneDrive graph api for the special AppFolder
Azure AD automatically added offline_access
How can I use the 'in' operator for $filter on Microsoft Graph Mail API?
How to access shared calendars from Office REST API?
Microsoft Graph APi not returning "Cancelled" Events
Access token validation failure Microsoft Graph API
How can I detect a meeting room in list of users returned from the Microsoft Graph?
How to get manager property from a users request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!