We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.
Using the MSOnline module as described in B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)
Is there a some new way to do that?
What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).
We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.
Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.
az rolerefers to Azure RBAC roles. You need to assign an Azure AD directory role. You could try using the AzureAD PowerShell module. – juunas