Change Password Azure AD B2C

Question

I have been able to create Azure Functions App to manage Azure B2C Users. I can create new users, and update profiles flawlessly using the client_credentials Flow. However, when I change the password using a PATCH request with body:

{
  passwordProfile: {
     password: 'password-value',
     forceChangePasswordNextSignIn: false
     },
  passwordPolicies: "DisablePasswordExpiration"
}

I get this error:

 {code: 'Authorization_RequestDenied', message: 'Insufficient privileges to complete the operation.'}

I have done some research on this, and figured out that updating password requires Delegated Permission "Directory.AccessAsUser.All". From the Front End Application, I am signing in using the B2CLogin Flow, therefore the access token is not compatible with Graph API. Also, "Directory.AccessAsUser.All" does not exist at the Application level in the B2C application. Therefore, I cant use the Patch Request with the client_credentials Flow as well. According to some suggestions, the process can be done by Azure AD PowerShell by assigning "Company Administrator" Role. But, I have not found a solution to reset password through the Azure Function. A step-by-step solution(if it exists) would be really helpful for me as I am relatively new to Azure Services.

Answer 1

The easiest way is to assign the Global Admin role to the service principal on Azure portal.

Go to Azure Portal - Azure Active Directory - Roles and administrators.

Search for "Global admin" and select it.

Click on +Add assignments. And then search for your service principal.

Please note that "Applications are allowed for active assignments only.".

So after clicking on "Next>", select "Active" for the Assignment type.

After the assignment is finished, you are able to update the password using client_credentials flow.

Add-AzureADDirectoryRoleMember which is mentioned by @Jas Suri can also do the same thing.