Change Azure AD B2C User Password with Graph API

Question

I'm trying to use the Sample Graph API app to change a user's password but I'm getting:

Error Calling the Graph API Response:

{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    }
  }
}

Graph API Request:

PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM

JSON File

{
    "passwordProfile": {
        "password": "Somepassword1$",
        "forceChangePasswordNextLogin": false
    }
}

I've tested updating the user's displayName and that works fine.

{
    "displayName": "Joe Consumer"
}

AD Application Permissions

I've configured my app permissions as described here.

Can you please post a correlation ID + timestamp from this error? — Daniel Dobalian, Aug 08 '17 at 23:36
where is the correlation id? https://stackoverflow.com/questions/45593823/wheres-the-correlation-id-in-the-graph-api-response — spottedmahn, Aug 09 '17 at 14:41
How did you authorize the graph api reques? i mean how did you get bearer token ? — Venkata Dorisala, Oct 19 '17 at 21:28
I didn't. It doesn't work that way. It uses a `secret`. See `` from [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). You might want to open another question... — spottedmahn, Oct 19 '17 at 22:47

score 12 · Accepted Answer · edited Oct 24 '17 at 20:08

Check out this article. Seems like it has the same symptoms.

Solution 1:

If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.

Go to Azure Management Portal and click Active Directory.
Select your custom AD directory.
Click Applications and select your Application.
Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
Finally save the changes.

Solution 2:

If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.

Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
```
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
```

Use Add-MsolRoleMember to add it to Company Administrator role

$clientIdApp = 'your-app-id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.

thanks @Parakh! I'm thinking solution 1 is for the old portal. Please confirm. I'm not seeing those options in portal.azure.com — spottedmahn, Aug 16 '17 at 15:30
nvm, I've confirmed, that's for the old portal. I've already granted 'read and write directory data' as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#configure-create-read-and-update-permissions-for-your-application — spottedmahn, Aug 16 '17 at 15:36
One important thing! To be able to to see the correct directory you need to create __local__ Azure B2C Administrator (for example admin@[tenant].onmicrosoft.com) and log-in with ```Connect-MsolService``` and his credential with AzureAD PowerShell, otherwise you wouldn't be able to get the Application with the ```Get-MsolServicePrincipal``` because of different directory. See _Important_ section in [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#configure-delete-permissions-for-your-application). — Anton Kalcik, May 29 '18 at 10:50

Karthikeyan VK · Answer 2 · 2017-08-31T13:03:28.010

0

Try below settings, works for me.

Used the below JSON

 {
  "accountEnabled": true,
  "signInNames": [
    {
      "type": "emailAddress",
      "value": "kart.kala1@test.com"
    }
  ],
  "creationType": "LocalAccount",
  "displayName": "Joe Consumer",
  "mailNickname": "joec",
  "passwordProfile": {
    "password": "P@$$word!",
    "forceChangePasswordNextLogin": false
  },
  "passwordPolicies": "DisablePasswordExpiration",
  "givenName": "Joe",
}

Also make sure you assign the application the user account, administrator role which will allow it to delete users link here

edited Aug 31 '17 at 13:03

answered Aug 30 '17 at 14:56

Karthikeyan VK

5,310
3
37
50

are you sure you can change a password w/ those settings? did you try and update user with the json above? – spottedmahn Aug 30 '17 at 16:53
check the json in the answer – Karthikeyan VK Aug 31 '17 at 06:58

Change Azure AD B2C User Password with Graph API

2 Answers2

Linked