Share via

Access Denied When Updating User Password in Azure Active Directory via Microsoft Graph API

Umair Khalid 0 Reputation points
2024-10-04T07:47:38.1133333+00:00

I'm trying to update a user's password in Azure Active Directory using the Microsoft Graph API. The user was created using the API endpoint https://graph.microsoft.com/v1.0/users, and I'm generating an application token in Node.js using the @azure/identity package.

Implementation Details:

Token Generation: I'm using ClientSecretCredential to generate the token:

const { ClientSecretCredential } = require('@azure/identity');
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
const token = await credential.getToken("https://graph.microsoft.com/.default");

API Call to Update Password: I'm using the following PATCH request to update the user's password:

PATCH https://graph.microsoft.com/v1.0/users/${userId}

Request Body:

{
    "passwordProfile": {
        "forceChangePasswordNextSignIn": true,
        "password": "newPassword"
    }
}

Permissions Granted: I've ensured the following permissions are granted in the Azure portal for my app registration:

  • Directory.AccessAsUser.All
  • User.ReadWrite.All
  • Directory.ReadWrite.All

Roles of the Account: The account performing the password reset has one of the following roles:

  • Global Administrator
  • Privileged Authentication Administrator
  • Authentication Administrator

Despite following the documentation here, I receive an accessDenied error with the message "Request Authorization failed" when updating the password.

Could anyone provide insights on what might be going wrong or what additional permissions or roles are required to update a user's password successfully?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,039 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    1 deleted comment

    Comments have been turned off. Learn more

  2. Yakun Huang-MSFT 4,800 Reputation points Microsoft Vendor
    2024-10-04T10:11:52.8166667+00:00

    Hello Umair Khalid,

    Thank you for reaching out to Microsoft Support!

    Just adding Directory.ReadWrite.All permissions is not enough, you need to add the service principal of your AD App as a directory role in Azure AD.

    Please refer to this case for details:

    https://stackoverflow.com/questions/61004464/how-to-update-the-password-of-user-in-azure-ad-using-graph-api

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.