How To Reset Password Of Office 365 Azure AD User Using Graph API?

2
votes

Graph API - We are trying to reset password of office 365 azure ad user, for that it acquires access token from azure ad using client credentials grant flow, in a daemon app\service, but unable to reset password of user. It responds "Insufficient privileges to complete the operation", I have given the following permission to applications.

1)User.ReadWrite.All - Read and write all users full profiles (Application + delegated permission) 2)Directory.AccessAsUser.All - Access directory as the signed-in user (Delegated permission)

My O365 application is "multitenant Web Api" app which has been given an admin consent. The main purpose of my app is to sync users from my Web Application (User details etc.) to Azure AD. My application is able to sync all user profile details except the password.

Can a Daemon service application which has be authorized by the tenant administrator, reset the password of the users in the organization?

Thanks

2
javaoffice365microsoft-graph-apiazure-ad-graph-api

2 Answers

0
votes

Currently Microsoft Graph (and AzureAD Graph) do not expose any application-only permissions (that could be used by a daemon app) to reset user passwords. This is a particularly privileged operation that can easily be abused. We do support this operation, in an interactive delegated flow, using Directory.AccessAsUser.All, as long as the signed in user is an administrator.

If you need an application permission to reset passwords please request this on UserVoice: https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/category/101632-microsoft-graph-o365-rest-apis

Hope this helps,

0
votes

I had the same problem, it took 15 days to find a solution. Although the permissions are provided from the application it is not possible to reset the password of a user. For this, a role of "Company Administrator" must be provided

I followed the next steps and it worked:

  1. Run windows powershell as administrator

Write the next PowerShell cmdlets

  • Install-Module AzureAD
  • Connect-AzureAD
  • $ app = Get-AzureADServicePrincipal -SearchString "AppName"
  • $ role = Get-AzureADDirectoryRole | Where-Object {$ _. DisplayName -eq "Company Administrator"}
  • Add-AzureADDirectoryRoleMember -ObjectId $ role.ObjectId -RefObjectId $ app.ObjectId

Note: Change "AppName" by the name of your application in AD. Connect to AzureAD with the user who has GlobalAdministrator permissions.