Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,402 questions
How to change User Password with Graph Api Powershell CMDlet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Atilgan, Denise
0
Reputation points
Hi all,
i am struggling to understand the following dilemma:
I bulk created User Objects in Entra ID. The type was set to "guest" not "member" so those accounts are by no means privileged at all and have never held any admin roles.
I have already gathered, that by using an app registration, there are currently no non delegated permissions that would grant said app registration the ability to change user passwords.
So i tried again with the "Connect-MGGraph" CMDlet and with the user authentication pop up thingie.
From what i gathered online, for the user accounts i am trying to alter, the simple "User Administrator" role should have been sufficient to get the result i wanted, as the accounts are not privileged. Instead however, i always got the same Error returned:
Update-MgUser : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
Reset-MgUserAuthenticationMethodPassword : Request Authorization failed
Status: 403 (Forbidden)
(as you can see, i tried two different approaches to altering the password profile)
Again: the normal "User Administration" Role should have been sufficient.
As it did not work I then however got my Adminuser the "Priviledged Authentication Administrator" role approved.
Even with this role, which according to this documentation should be able to even alter administration account passwords, i got the same two errors mentioned above.
I also tried adding the Scope "Directory.ReadWrite.All" when using the connect mggraph command. Here is an excerpt of what "get-mgcontext" returns:
Device.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Directory.ReadWrite.All Domain.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All GroupMember.ReadWrite.All openid profile Sites.ReadWrite.All User.Read User.ReadWrite.All email
so the permission is present, but i still could not change passwords.
Now as a last resort, i got the Global Admin Role for my admin and used the same Commands. With the global admin, changing the password profile was possible. This is not the preferred way, as the global admin is far too mighty to just be casually used like this...
All i want now is to know why? If as per documentation all other privileges should have granted me the permissions, why did it not work? How could i get the lesser than global admin roles to work for me?
Below is the broken down general code i used, please keep in mind that i did assign different admin roles to my admin account which i used for authentication:
Connect-MgGraph
$user = Get-MGUser -All | ? {$_.DisplayName -like "*example*"}
$userId = $user.Id
$newPasswd = generatePasswd
#Approach 1:
$pwdprofile = @{
ForceChangePasswordNextSignIn = $false;
Password = $newPasswd
}
Update-MgUser -UserId $userId -PasswordProfile $pwdprofile
#Approach 2:
$params = @{
newPassword = $newPasswd
}
$authenticationMethodId = "28c10230-6103-485e-b985-444c60001490"
Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authenticationMethodId -BodyParameter $params
I am hella confused and would really gladly appreciate every bit of information, thanks!
Sign in to answer