Azure AD B2C Connected user change password with Graph AD API

2
votes

We are using Azure AD B2C and I'm trying to implement the changePassword function for signed-in users. We have followed this tutorial https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet, and we have succeeded to make it worked. But we want signed-in users to have the possibility to change their existing password (directly in applications). We found this method (https://msdn.microsoft.com/fr-fr/library/azure/ad/graph/api/functions-and-actions#changePassword) but we failed to make it work...

What is the standard workflow for using AD Graph API in AD B2C with signed-in users ? I have an application linked to a B2C tenant. I have created both Android and iOS apps and I am able to connect and get tokens thanks to the sign-up or sign-in policy, this point is OK... In parallel I have created a service app in order to use the AD Graph API (thanks to the first link above). We have suceeded in testing some operations like get the lists of users, find a specific user, change some.... But now I want to use the method "changePassword" for the connected users (second li) and I have failed using it. I don't know which access token to provide, both tests (using the token from the app service credential or using the access token received thanks to the signin policy) have failed ?? Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??

Thanks ;)

1
azure-ad-b2cazure-ad-graph-api

1 Answers

2
votes

Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??

We can locate the service principal which created by PowerShell by searching the appPrincipalId like below:

enter image description here

Update

To perform the change password REST API of Azure AD Graph, we need to provide the delegate access token. In this scenario, we can use resource owner password credentials flow which require users' username and password for the authentication. To use this flow we can register the service principal like below:

$app = New-AzureRmADApplication -DisplayName "appPS2" -HomePage "https://adb2cfei.onmicrosoft.com/appPS2" -IdentifierUris "https://adb2cfei.onmicrosoft.com/appPS2" -Password "123"

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Then we need to login the Azure classic portal to grant the delegate permission Directory.AccessAsUser.All as figure below:

enter image description here

Here is the code to acquire the token using the resource owner password credentials flow:

Post: https://login.microsoftonline.com/adb2cfei.onmicrosoft.com/oauth2/token

resource=https%3a%2f%2fgraph.windows.net&client_id={ $app.ApplicationId}&grant_type=password&username=fx%40adb2cfei.onmicrosoft.com&password={currentPassword}&client_secret=123

Then we can use this token to change the password of the sign-in user like below:

POST: https://graph.windows.net/adb2cfei.onmicrosoft.com/me/changePassword?api-version=1.6

authorization: bearer {access_token}
content-type: application/json

{
"currentPassword":"{currentPassword}",
"newPassword":"{newPassword}"
}