Authorization_RequestDenied: "Insufficient Privileges" When Attempting to Update User Password via Microsoft Graph API

Question

Hi,

I’m encountering an issue when trying to update a user’s password in Azure AD B2C using the Microsoft Graph API. I’m sending a PATCH request to the following endpoint:

https://graph.microsoft.com/v1.0/users/{user-id}

heres the request body: {

{ "passwordProfile": { "password": "Pass!w0rd$8&", "forceChangePasswordNextSignIn": false }, "passwordPolicies": "DisablePasswordExpiration,DisableStrongPassword" }

The access token used in the request includes the User.ReadWrite.All and Directory.ReadWrite.All application permissions, and admin consent has been granted for these permissions. I’ve confirmed via jwt.io that these roles are present in the token.

The target user exists in the B2C directory, and their identities field is correctly configured. Here’s the error response I’m getting:

{ "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2024-12-10T16:44:09", "request-id": "db7efa4e-cddb-4535-b5fe-fa00b2fa3e14", "client-request-id": "db7efa4e-cddb-4535-b5fe-fa00b2fa3e14" } } }

Additional Context:

1. The application has been granted the required API permissions (User.ReadWrite.All and Directory.ReadWrite.All) under application permissions.
2. The target user was created in Azure AD B2C during a migration process and is active in the directory.
3. No conditional access policies or custom roles are in place that would restrict this operation.
4. Application Context:
   • The application resides in app registrations inside the Azure AD B2C tenant, not a regular Azure AD (Microsoft Entra ID) tenant.
   • I don't believe Azure AD B2C does not support assigning directory roles like User Administrator. if that is a thing please let me know the steps to do so.
5. Permissions Already Granted:
   • The app has User.ReadWrite.All and Directory.ReadWrite.All API (type: application) permissions with admin consent granted.
   Scenario:
   • The PATCH request targets the https://graph.microsoft.com/v1.0/users/{user-id} endpoint.
   • The request includes a passwordProfile object to update the user’s password.

Issue:

• Despite the permissions and valid access token, the operation fails with Authorization_RequestDenied and the message "Insufficient privileges to complete the operation."
  • Is there a known limitation or additional configuration required in Azure AD B2C to allow password updates? Something to note is that this operation is a patch request, to update a randomly generated password for the user. (for another scenario where custom policy is being used to update password with forceChangepasswordnextsignin, that works, but this use case requires a patch request with new password)

Questions:

1. Why would I still be getting an "Insufficient privileges to complete the operation" error despite having these permissions in the access token?
2. Is there an additional permission, configuration, or step required to enable the application to update passwords in Azure AD B2C?
3. Could this error be related to the target user’s configuration, such as their identities or passwordPolicies fields?

Any guidance or troubleshooting suggestions would be greatly appreciated. I’ve been stuck on this for a while and am trying to ensure this automated process works without manual intervention.

Thank you!

Answer 1

Hi @Ray Garg

In addition to the above permissions, the calling app must have the User Administrator or Global Administrator role.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.