This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 24%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Hi
I am trying to use one of your APIs to reset user's passwords from our app using the Graph API under Azure AD B2C
So far, I have a majority of the user flows working:
But the one thing I cannot get to work is changing their password. We have our own flows to verify the user, so our API is really just trying to set their password.
We are using this beta API to try and accomplish it because it didn't seem like there was a better API to use: https://learn.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword?view=graph-rest-beta&tabs=http
For some context, we are using Node.js and the following code is how we're authenticating to the Graph API. Again, this works for everything but password reset.
const getClientCredentials = oauth.client(axios.create(), {
url: `https://login.microsoftonline.com/${process.env.AAD_TENANT_ID}/oauth2/v2.0/token`,
grant_type: 'client_credentials',
client_id: process.env.AADU_CLIENT_ID,
client_secret: process.env.AADU_CLIENT_SECRET,
scope: TOKEN_SCOPE
});
const instance = axios.create();
instance.interceptors.request.use(
oauth.interceptor(tokenProvider, getClientCredentials)
);
This is what we're doing to reset a user's password (this.id being the User's ID in Azure)
First, we fetch their authentication methods to find their password authentication method.
const response = await instance.request({
baseURL: API_URI,
url: `/beta/users/${this.id}/authentication/methods`,
method: 'get'
});
return response.data.value; //Returns an array which we get the ID from
return instance.request({
baseURL: API_URI,
url: `/beta/users/${this.id}/authentication/passwordMethods/${authID}/resetPassword`,
method: 'post',
data: {
newPassword
}
});
But this is the error we get from the API, which comes back as JSON in a string:
{\"error\":{\"code\":\"BadRequest\",\"message\":\"Upn from claims with value null is not a valid upn.\",\"innerError\":{\"request-id\":\"4668534c-c4b0-4c4a-b979-c39662c1f7dd\",\"date\":\"2021-01-25T14:38:40.7851202Z\"}}}
My head has been spinning on this for days and from my research, nothing is standing out. Any insight anyone might have would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 32%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
@Liam Barry : Any reason to use Client credential flow? Please see the response from https://learn.microsoft.com/en-us/answers/questions/9942/index.html and hope this will help.
Hi @Liam Barry · Thank you for reaching out.
The problem here is with the authentication flow that you are using. The client_credentials authentication flow is used to acquire Access Token under application context and there is no user context involved. Since the resetPassword operation is needed to be performed under user context, you need to use one of the authentication flows which are used to acquire the Access Token under user context, e.g.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for your reply @AmanpreetSingh-MSFT !
Is it possible at all for the application context to change the password for a user? Is there another API we could use for that?
Thanks!
Hi @Liam Barry · This operation is not possible with Application Context as documented here:
Thanks again @AmanpreetSingh-MSFT !
I have created a user with (hopefully) the correct priviliges. I am creating their oauth 2.0 token using .../oauth2/v2.0/token, and calling the API as before:
const creds = await Azure.Authenticate(AD_ADMIN, AD_ADMIN_PW); //works fine!
return axios.request({
baseURL: API_URI,
url: `/beta/users/${this.id}/authentication/passwordMethods/${authID}/resetPassword`,
method: 'post',
headers: {
Authorization: `Bearer ${creds.access_token}`
},
data: {
newPassword
}
});
I am getting this response:
Invalid x5t claim.
These docs indicate that x5t is a legacy claim and is only available in the 1.0 token. Do you see any issues with what I am doing?
Thanks!
Hi @Liam Barry · Thank you for sharing the fiddler capture. Looking at the fiddler trace, I found that you are trying to perform password reset via Graph API in B2C tenant. Unfortunately, B2C tenant doesn't support this method to reset the password as there is no UserAuthenticationMethod.ReadWrite.all permission included in Graph API for B2C tenant. The only delegated permissions available in B2C tenant are offline_access and openID.
The methods available to reset the password in B2C tenant are either admin performing password reset via Azure Portal or by using Password Reset Policy.
Password Reset via Graph API is only supported in Standard Azure AD tenants as of now. You can post an idea at our Feedback Portal regarding this feature in B2C tenant.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 74%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
I am getting the same error with resetPassword. I am using a Standard Azure AD tenant.
I am trying to utilize a User Managed Identity within a Logic App for authentication that has the Privileged Authentication Admin role (and Help Desk Admin role too). With the identical configuration and same Managed Identity I am able to successfully call List passwordMethods, Delete phoneAuthenticationMethod, and Delete emailAuthenticationMethod.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 79%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
So how come I am able to use Azure Graph SDK to update my password profile? TBH your documentation is all over the place and there's no single consistent source of truth.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 25%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Just use the GRAPH user update endpoint if you want to create a new PasswordProfile. That is working for B2C and AAD as well. You have to instanciate new objects. If you try to add new values by just adding them to the properties you will get an exception.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 44%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
I have the same problem.
Insufficient privileges to complete the operation and I can not add permissions to the Graph API.
I find it kinda weird that I can enable, disable, create and delete users - but I cant set their passwords? :)
I have tried the Graph Beta API too.
