简体繁体 English

如何使用图形API重置Office 365 Azure AD用户的密码？

[英]How To Reset Password Of Office 365 Azure AD User Using Graph API?

原文 2018-01-09 14:47:51 9 2 java/ office365/ microsoft-graph/ azure-ad-graph-api

Graph API - We are trying to reset password of office 365 azure ad user, for that it acquires access token from azure ad using client credentials grant flow, in a daemon app\\service, but unable to reset password of user. Graph API-我们正在尝试重置Office 365天蓝色广告用户的密码，因为它使用守护程序app \\ service中的客户端凭据授予流从天蓝色广告中获取访问令牌，但无法重置用户密码。 It responds " Insufficient privileges to complete the operation ", I have given the following permission to applications. 它响应“ 权限不足，无法完成操作 ”，我已将以下权限授予应用程序。

1)User.ReadWrite.All - Read and write all users full profiles (Application + delegated permission) 2)Directory.AccessAsUser.All - Access directory as the signed-in user (Delegated permission) 1）User.ReadWrite.All-读写所有用户的完整配置文件（应用程序+委派权限）2）Directory.AccessAsUser.All-以登录用户身份访问目录（委派权限）

My O365 application is "multitenant Web Api" app which has been given an admin consent. 我的O365应用程序是“多租户Web Api”应用程序，已获得管理员同意。 The main purpose of my app is to sync users from my Web Application (User details etc.) to Azure AD. 我的应用程序的主要目的是将用户从Web应用程序（用户详细信息等）同步到Azure AD。 My application is able to sync all user profile details except the password. 我的应用程序能够同步除密码之外的所有用户个人资料详细信息。

Can a Daemon service application which has be authorized by the tenant administrator, reset the password of the users in the organization? 租户管理员授权的Daemon服务应用程序可以重设组织中用户的密码吗？

Thanks 谢谢

2 个解决方案

Currently Microsoft Graph (and AzureAD Graph) do not expose any application-only permissions (that could be used by a daemon app) to reset user passwords. 当前，Microsoft Graph（和AzureAD Graph）不公开任何仅应用程序权限（可以由守护程序使用）重置用户密码。 This is a particularly privileged operation that can easily be abused. 这是一种特别特权的操作，很容易被滥用。 We do support this operation, in an interactive delegated flow, using Directory.AccessAsUser.All , as long as the signed in user is an administrator. 只要登录用户是管理员，我们就使用Directory.AccessAsUser.All在交互式委托流中支持此操作。

If you need an application permission to reset passwords please request this on UserVoice: https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/category/101632-microsoft-graph-o365-rest-apis 如果您需要应用程序权限来重置密码，请在UserVoice上进行以下请求： https : //officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/category/101632-microsoft-graph-o365-rest-apis

Hope this helps, 希望这可以帮助，

I had the same problem, it took 15 days to find a solution. 我遇到了同样的问题，花了15天的时间找到了解决方案。 Although the permissions are provided from the application it is not possible to reset the password of a user. 尽管权限是从应用程序提供的，但无法重置用户密码。 For this, a role of "Company Administrator" must be provided 为此，必须提供“公司管理员”角色

I followed the next steps and it worked: 我按照下面的步骤进行了工作：

Run windows powershell as administrator 以管理员身份运行Windows Powershell

Write the next PowerShell cmdlets 编写下一个PowerShell cmdlet

Install-Module AzureAD 安装模块AzureAD
Connect-AzureAD 连接-AzureAD
$ app = Get-AzureADServicePrincipal -SearchString "AppName" $ app = Get-AzureADServicePrincipal -SearchString“ AppName”
$ role = Get-AzureADDirectoryRole | $角色= Get-AzureADDirectoryRole | Where-Object {$ _. 哪里对象{$ _。 DisplayName -eq "Company Administrator"} DisplayName -eq“公司管理员”}
Add-AzureADDirectoryRoleMember -ObjectId $ role.ObjectId -RefObjectId $ app.ObjectId Add-AzureADDirectoryRoleMember -ObjectId $ role.ObjectId -RefObjectId $ app.ObjectId

Note: Change "AppName" by the name of your application in AD. 注意：通过AD中的应用程序名称更改“ AppName”。 Connect to AzureAD with the user who has GlobalAdministrator permissions. 使用具有GlobalAdministrator权限的用户连接到AzureAD。