0

I am not able to change the password of the logged in Azure AD B2C user. I have Azure B2C tenant which is used for dev and QA.Also, i have two applications something-Local and something-QA used for DEV and QA respectively in Azure B2C as shown below and I have verified the settings of both the apps they are same enter image description here Below are the configurations of the applications Here is my code which is used for B2C connection

 private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
    {
        return new OpenIdConnectAuthenticationOptions
        {
            // For each policy, give OWIN the policy-specific metadata address, and
            // set the authentication type to the id of the policy
            // meta data
            MetadataAddress = "https://login.microsoftonline.com/" + "mytenant" + "/v2.0/.well-known/openid-configuration?p=" + policy,
            AuthenticationType = policy,

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = AzureAdConfig.ClientId,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
                SecurityTokenValidated = OnSecurityTokenValidated,
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
            },
            Scope = "openid",
            ResponseType = "id_token",

            // This piece is optional - it is used for displaying the user's name in the navigation bar.
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
            }
        };
    }

in the above code the ClientID used for QA and Dev are different. Below is the code used to change the user password using graph API.

 public async Task<HttpResponseMessage> ChangePassword(string currentPassword, string newPassword)
    {
        string userId = ClaimValues.ObjectIdentifier();
        var adUser = _activeDirectoryClient.Users
            .Where(u => u.ObjectId.Equals(userId))
            .ExecuteAsync().Result.CurrentPage.FirstOrDefault();

        string upn = adUser.UserPrincipalName;
        var client = new HttpClient();
        string uriString = "https://login.microsoftonline.com/"+ AzureAdConfig.Tenant + "/oauth2/token";
        Uri requestUri = new Uri(uriString);
        string requestString = "resource=https%3a%2f%2fgraph.windows.net&client_id=" + AzureAdConfig.AppId + "&grant_type=password&username=" + upn + "&password=" + currentPassword + "&client_secret=" + AzureAdConfig.AppKey;
        var tokenResult = await client.PostAsync(requestUri, new StringContent(requestString, Encoding.UTF8, "application/x-www-form-urlencoded"));
        if (tokenResult.IsSuccessStatusCode)
        {
            var stringResult = await tokenResult.Content.ReadAsStringAsync();
            GraphApiTokenResult objectResult = JsonConvert.DeserializeObject<GraphApiTokenResult>(stringResult);
            client = new HttpClient();
            string requestUrl = AzureAdConfig.GraphResourceId + AzureAdConfig.Tenant + "/me/changePassword?" + AzureAdConfig.GraphVersion;
            Uri graphUri = new Uri(requestUrl);
            client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", objectResult.access_token);
            requestString = JsonConvert.SerializeObject(new
            {
                currentPassword = currentPassword,
                newPassword = newPassword
            });
            var response = await client.PostAsync(graphUri, new StringContent(requestString, Encoding.UTF8, "application/json"));
            return response;
        }
        else
        {
            return tokenResult;
        }
    }

Also, i wanted to understand what is the difference between Application Registrations in Azure Active directory service of azure and the Application in Azure AD B2C of azure?

Thanks in advance

Jagadish KM
  • 165
  • 2
  • 13

1 Answers1

0

To change user password by using Azure AD Graph API, first you should be a global administrator in your tenant, and then you could use PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version and then update.

    {
  "passwordProfile": {
    "password": "value",
    "forceChangePasswordNextLogin": false
  }
}

Also, i wanted to understand what is the difference between Application Registrations in Azure Active directory service of azure and the Application in Azure AD B2C of azure?

You can know about this from the difference between Azure AD tenant and Azure AD B2C tenant from here.

Hope it can help you.

SunnySun
  • 1,900
  • 1
  • 6
  • 8
  • I know password can be changed using [admin account](https://stackoverflow.com/questions/45577620/change-azure-ad-b2c-user-password-with-graph-api).I was trying to do [this](https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/functions-and-actions#changePassword) way, but I have two applications registered in Azure AD B2C(not regular AD)=> Applications, if I use client id and secret of these apps it works for both apps only in my local, but out of 2 apps only one application works from deployed(as app service in azure) version. Am I missing some configuration for the deployed version. – Jagadish KM Aug 08 '18 at 03:17
  • I'm confused about you mentioned. As I know, the Azure AD Graph Explorer can be only logged in with user credentials, it cannot be used by the applications. And by using the [way](https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/functions-and-actions#changePassword) you used, the target user must be the signed-in user, which means you can only change the user password that you are logging in. – SunnySun Aug 08 '18 at 09:50
  • And if you use Patch https://graph.windows.net/myorganization/users/{user_id}?api-version, you require to be a administrator in the Azrue AD B2C tenant. However, if you use Post https://graph.windows.net/me/changePassword?api-version, it not requires administrator. – SunnySun Aug 08 '18 at 09:55