Insufficient privileges while changing password

2
votes

I am trying to use Azure Powershell (AZ powershell module) inside docker container to create/modify office 365 related configurations including user profiles.

I am trying to change user password using service principal. I have got the following error while using Update-AzADUser. However, I could create the user and modify the display name. I was having issues only with the change password or removing the user.

PS /> Update-AzADUser -ObjectId xyz358c2... -Password $password
Update-AzADUser : Insufficient privileges to complete the operation.
At line:1 char:1
+ Update-AzADUser -ObjectId xyz358c2... -Passw ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-AzADUser], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand

On the service principal, I have provided all available application permission and delegated permissions on Microsoft Graph API and Windows Azure Active Directory.

I can't find any of the AD roles that are available in https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles to assign to the service principal. Please screenshots on the below links.

Permissions

Roles

1
azure-active-directoryazure-powershell
Yeah.. Those are highly privileged operations. To allow those for the principal, you might need to assign a directory role to the service principal using PowerShell. You can see the list of available roles here: docs.microsoft.com/en-us/azure/active-directory/…. - juunas
Thanks a lot of the reply! I have went through the similar comment in another stack over flow thread. I have got mac machine. How can I add directory role using Powershell Core or Azure Powershell? - Sreedhar
I think suggestion from @juunas is a good one (as usual I may add).. To answer your question about how to add directory role for service principal using PowerShell.. you can use a combination of Add-AzureADDirectoryRoleMember and Get-AzureADServicePrincipal .. In terms of directory role something like Helpdesk admninstrator should do at least for resetting passwords for non-admin users.. you can choose a more privileged directory role than that if need be based on your requirements.. - Rohit Saigal
@Shreedhar Also know that there can be scenarios where RoleTemplate isn't already enabled.. so it will be a bit of scripting.. I'll try to see if I can test something quick and add an answer.. - Rohit Saigal
Thanks a lot Rohit and Juunas. AzureAD is windows specific. I was wondering whether how you do it on Mac. Anyway, I am trying to run those commands by finding windows machine. I will keep you posted. - Sreedhar

1 Answers

1
votes

As discussed in comments, you should try to assign an appropriate directory role to the service principal you are using, so that it can get sufficient privileges.

Here is a quick script to do that. Change the service principal name and roleName as per your requirements.

# Get to the service principal
$svcPrincipalId = (Get-AzureADServicePrincipal -SearchString "your service principal name").ObjectId

# I am using Helpdesk administrator here, but feel free to change this name as per your requirement. 
# You can get a complete list of role templates using Get-AzureADDirectoryRoleTemplate. 
# Helpdesk admninstrator role can reset passwords for non-administrators.
$roleName = 'Helpdesk administrator'

# Fetch User Account Administrator role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName}

# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {

    # Instantiate an instance of the role template
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq $roleName}
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

    # Fetch User Account Administrator role instance again
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName}
}


# Add user to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $svcPrincipalId