How to reset global admin's password using Azure Graph API?

3
votes

Was able to reset password for the non-administrator users. But not for the users with administrator directory roles.

Tried as documented: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#ResetUserPassword

Response: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

I configured the application in AzureAD with all application and delegated permissions (Read and Write Directory Data, etc).

Googled and found one related post: the permission scope was changed recently http://blogs.msdn.com/b/aadgraphteam/archive/2015/10/06/new-graph-api-consent-permissions.aspx

1
azureazure-ad-graph-api

1 Answers

3
votes

We had the same problem as Kyle. Password reset via Graph API suddenly stopped working for all users. Finally we got it to work with some help from Microsoft support.

There was a recent update to fix a security hole: https://support.microsoft.com/en-us/kb/3004133

Currently the only way to add the application to the admin role needed is through PowerShell…
You will also need to follow the directions here to install the Azure AD cmdlet: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule

We also got a slightly different example than shown in the KB that looked like this: 

$tenant = "<Tenant Name>"
$tenantGuid = "<Guid for Tenant>"
$graphver = "1.5"
$appID = "<Application ID>"

$userVal = "<username>@" + $tenant
$pass = "<password>"
$Creds = New-Object System.Management.Automation.PsCredential($userVal, (ConvertTo-SecureString $pass -AsPlainText -Force))

Connect-MSOLSERVICE -Credential $Creds
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantGuid

#ID of the Application
$objectId = $msSP.ObjectId

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

And now finally it's working with no need to rewrite our application :-)