question

SRI-5106 avatar image
0 Votes"
SRI-5106 asked JacekB-2381 commented

how to reset and change password using microsoft graph api of Azure AD B2C users?

108001-changpassword.png107889-resetpassword.pngPOST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword

POST https://graph.microsoft.com/beta/me/changePassword
POST https://graph.microsoft.com/v1.0/me/changePassword

tried above apis. but all the apis are giving below error


azure-ad-b2c
changpassword.png (59.4 KiB)
resetpassword.png (58.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Gamer-1297 commented

Hi @SRI-5106 · Thank you for reaching out.

In the changePassword call, you need to update the call to either /beta/users/object_id_or_upn_of_user or /beta/me. Reason why you are getting error resource not found is, because you are passing /beta/object_id_of_the_user.

  1. Make sure the token that you are passing in the Authorization Header is acquired under user context and NOT under application context (using client credentials flow).

  2. The token that you are passing in the Authorization Header must be of the same user whose password you are trying to change. You cannot use User1's token to change password of User2.

  3. These calls can only be used for local accounts and NOT for social accounts in B2C tenant, as the passwords for social accounts are stored in their respective IDPs.

  4. Make sure you have provided consent for below delegated permissions:

  • Directory.AccessAsUser.All - Required for changePassword

  • UserAuthenticationMethod.ReadWrite.All - Required for resetPassword


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft
Thank you for your response.
UserAuthenticationMethod.ReadWrite.All - Required for resetPassword -- this permissions is provided.


can you give an example or correct api for reset password?

0 Votes 0 ·

Hi @SRI-5106 · Below call works.
Call: POST https://graph.microsoft.com/beta/users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword
Body:
{
"newPassword": "newPasswordvalue",
}

If this doesn't work, try creating new member user and assign with Global Admin rights in your B2C tenant. Don't use guest or signed-up user for this purpose.

0 Votes 0 ·

I wrote a Blog article a few weeks ago at (https://www.msxfaq.de/cloud/graph/graph_password.htm) But it is german. So Sorry for that. Maybe Google/Bing Translation might help.
The Code is langauge independend. I got it working for my testlab user "clouduser1@msxfaq.net" with the following two powershell lines.
You have to collect the accesstoken first, of course.

First Collect the password Methods.

$passwordmethods = Invoke-RestMethod -Method GET
-Headers @{"Authorization" = "Bearer $($accesstoken)"} -ContentType "application/json"
-URI "https://graph.microsoft.com/beta/users/clouduser1%40msxfaq.net/authentication/passwordMethods"

Invoke-RestMethod -Method POST
-Headers @{"Authorization" = "Bearer $($accesstoken)"} -ContentType "application/json"
-URI "https://graph.microsoft.com/beta/users/clouduser1%40msxfaq.net/authentication/passwordMethods/$($passwordmethods.value.id)/resetPassword" `
-body "{""newPassword"": ""superSecretPasswordHere!""}"


The only issue i have not solved yet: the user has to change it's password at the first logon and i have not found a way to disabled that.
It works with the old GraphAPI at graph.windows.net

0 Votes 0 ·

Hi @amanpreetsingh-msft

how to change password for the logged in user using Change Password call?.

Directory.AccessAsUser.All - Required for changePassword - this permission is provided

Calling Change password for Microsoft Graph Api using
Users[User Object Id].ChangePassword(current pswd, new pswd)

the System throws Exception - Access to change password operation is denied.

am i missing something here?

0 Votes 0 ·
Kim-7362 avatar image
0 Votes"
Kim-7362 answered JacekB-2381 commented

Hi

I have an Azure AD B2C App registration and I want to be able to change passwords for users under that App with the Graph Api.

But I keep getting an exception that the 'Access to change password operation is denied' - I have tried to give the App different roles in the AD (Password and Helpdesk Admin) - but nothing seems to help.

I can not find this permission 'Directory.AccessAsUser.All' - under Graph API and Delegated Permissions I only have "openid" and "offline_access" and I can not find it under Delegated Permissions.

Any clue and help will be much appreciated. :)

Thanks in advance.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Kim-7362 I got it to work by assigning the role 'Password administrator' to my Azure AD B2C app registration and giving the following API permissions: Directory.ReadWrite.All and User.ReadWrite.All (both type: application).

I am updating the password using Graph as follows:


                    User user = new User
                     {
                         PasswordProfile = new PasswordProfile
                         {
                             ForceChangePasswordNextSignIn = false,
                             Password = "myNewPassword"
                         }
                     };
    
                     await graphServiceClient.Users[userId].Request().UpdateAsync(user);



1 Vote 1 ·

Thank you very much!
Worked for me

0 Votes 0 ·

@Kim-7362 • B2C apps do not support all Graph operations as of now. These permissions will be visible only when the application is registered using one of the below-highlighted options:
155616-image.png

0 Votes 0 ·
image.png (17.5 KiB)
Kim-7362 avatar image Kim-7362 amanpreetsingh-msft ·

Thanks. I have supported account types "All users" - is that why? Also, when will the graph operations be available for changing passwords?

0 Votes 0 ·