堆栈内存溢出
  简体   繁体   English

使用Microsoft Graph重置用户密码

[英]Resetting a user's password using Microsoft Graph

 原文  2018-04-16 06:50:28       c#/ azure-active-directory/ microsoft-graph

问题描述

I'm trying to write a web portal that users can use to reset their own Azure AD password. 我正在尝试编写一个Web门户,用户可用来重置其自己的Azure AD密码。 Because of the requirements of my client, the Azure AD SSPR is not an option . 由于我的客户的要求, Azure AD SSPR不是一个选择

To achieve this I'm using Microsoft Graph. 为此,我使用了Microsoft Graph。 According to the documentation , it is possible to reset a users password using Microsoft Graph if you have User.ReadWrite.All or Directory.AccessAsUser.All permissions. 根据文档 ,如果您具有User.ReadWrite.AllDirectory.AccessAsUser.All权限,则可以使用Microsoft Graph重置用户密码。

Then the permissions documentation , the remarks it states that even if you have the Directory.ReadWrite.All permissions you won't be able to reset a users password. 然后是权限文档 ,其中指出,即使您拥有Directory.ReadWrite.All权限,也无法重置用户密码。

I've done a test to see if this will work but I get an HTTP 403 Forbidden response. 我已经进行了测试,看是否可以使用,但收到HTTP 403 Forbidden响应。

The code I'm using is: 我使用的代码是: 

string ResourceUrl = "https://graph.windows.net/";
string AuthorityUrl = "https://login.microsoftonline.com/companyxxx.onmicrosoft.com/oauth2/authorize/";

//Create a user password cradentials.
var credential = new Microsoft.IdentityModel
    .Clients
    .ActiveDirectory
    .UserPasswordCredential("username@xxxx.com", "passwordxxx");

// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);

var authenticationResult = authenticationContext
    .AcquireTokenAsync(ResourceUrl, "xxxxxxxx-3017-4833-9923-30d05726b32f", credential)
    .Result;

string jwtToken = authenticationResult.AccessToken;
var cred = new Microsoft.Rest
    .TokenCredentials(authenticationResult.AccessToken, "Bearer");

HttpClient client = new HttpClient();
var queryString = HttpUtility.ParseQueryString(string.Empty);
queryString["api-version"] = "1.6";
client.DefaultRequestHeaders
    .Accept
    .Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);

var uri = "https://graph.windows.net/xxxxxxxx-18fe-xxxx-bb90-d62195600495/users/xxxxxxxx-aa58-4329-xxxx-b39af07325ee?" + queryString;

//var content = new StringContent("{\"passwordProfile\": {\"password\": \"Test123456\", \"forceChangePasswordNextLogin\": true }}");
var response = client.PatchAsync(new Uri(uri), content, jwtToken);

The PatchAsync method is an extension method as below: PatchAsync方法是一种扩展方法,如下所示: 

public static class HttpClientExtensions
{
    public static async Task<HttpResponseMessage> PatchAsync(this HttpClient client,
        Uri requestUri, HttpContent iContent, string jwtToken)
    {
        var method = new HttpMethod("PATCH");
        var request = new HttpRequestMessage(method, requestUri)
        {
            Content = iContent,
        };
        request.Content.Headers.ContentType =
            new MediaTypeHeaderValue("application/json");

        request.Headers.Authorization =
            new AuthenticationHeaderValue("Bearer", jwtToken);

        HttpResponseMessage response = new HttpResponseMessage();
        try
        {
            response = await client.SendAsync(request);
        }
        catch (TaskCanceledException e)
        {
            Console.WriteLine("ERROR: " + e.ToString());
        }

        return response;
    }
}

Could someone please clarify if this is possible using the credentials grant flow with a username and password for authentication. 有人可以使用凭据授予流程以及用户名和密码进行身份验证来说明是否可行。 If so how do I achieve this? 如果是这样,我该如何实现?

1 个解决方案

解决方案1
 2  2018-04-16 21:47:30

You're mixing up Microsoft Graph and Azure AD Graph API. 您正在混合使用Microsoft Graph和Azure AD Graph API。 These are two different APIs and calls to one are not interchangeable with the other. 这是两个不同的API,对一个的调用不能与另一个互换。

You are correct in that you need to use the Directory.AccessAsUser.All scope for this activity. 您是正确的,因为您需要为此活动使用Directory.AccessAsUser.All范围。 This scope allows the API to do anything to the AAD that the signed in user would be able to do themselves (ie change their own password). 此范围允许API对AAD进行登录用户可以自己做的任何事情(即更改他们自己的密码)。

Once you have a valid access_token for the user with Directory.AccessAsUser.All permission, you can update the user's passwordProfile : 一旦具有Directory.AccessAsUser.All权限的用户具有有效的access_token ,就可以更新用户的passwordProfile 

PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json

{
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "password-value"
  }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用无人值守的用户/密码创建 Microsoft Graph GraphServiceClient - Create Microsoft Graph GraphServiceClient with user/password unattended 无法使用具有应用程序权限的 Microsoft Graph 获取用户信息 - Could not get user's information using Microsoft Graph with Application Permissions 使用C#在Active Directory中重置用户密码后,新旧密码都可以使用 - After resetting user's password in Active Directory using C#, both old and new passwords are working 成员资格:重置用户密码 - Membership: Resetting user password 使用 Microsoft Graph 创建用户 - Create user using Microsoft Graph 使用Microsoft Graph更改Azure AD的密码 - Change Password for Azure AD using Microsoft Graph 使用 Microsoft Graph + Http 客户端更改 Azure AD B2C 上的用户密码 - Change user password on Azure AD B2C using Microsoft Graph + Http Client 如何使用Microsoft Graph API检索用户的个人资料和用户的日历? - How to retrieve the user's profile and the user's calendars using the Microsoft Graph API? 使用 Microsoft Graph 获取用户状态 - Get user presence using Microsoft Graph 如何使用 Microsoft Graph API 从包含嵌套组的组中仅获取用户? - How to get only User's from a Group that contains nested Groups using Microsoft Graph API?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM