[英]Resetting a user's password using Microsoft Graph
I'm trying to write a web portal that users can use to reset their own Azure AD password. 我正在尝试编写一个Web门户,用户可用来重置其自己的Azure AD密码。 Because of the requirements of my client, the Azure AD SSPR is not an option .
由于我的客户的要求, Azure AD SSPR不是一个选择 。
To achieve this I'm using Microsoft Graph. 为此,我使用了Microsoft Graph。 According to the documentation , it is possible to reset a users password using Microsoft Graph if you have
User.ReadWrite.All
or Directory.AccessAsUser.All
permissions. 根据文档 ,如果您具有
User.ReadWrite.All
或Directory.AccessAsUser.All
权限,则可以使用Microsoft Graph重置用户密码。
Then the permissions documentation , the remarks it states that even if you have the Directory.ReadWrite.All
permissions you won't be able to reset a users password. 然后是权限文档 ,其中指出,即使您拥有
Directory.ReadWrite.All
权限,也无法重置用户密码。
I've done a test to see if this will work but I get an HTTP 403 Forbidden
response. 我已经进行了测试,看是否可以使用,但收到
HTTP 403 Forbidden
响应。
The code I'm using is: 我使用的代码是:
string ResourceUrl = "https://graph.windows.net/";
string AuthorityUrl = "https://login.microsoftonline.com/companyxxx.onmicrosoft.com/oauth2/authorize/";
//Create a user password cradentials.
var credential = new Microsoft.IdentityModel
.Clients
.ActiveDirectory
.UserPasswordCredential("username@xxxx.com", "passwordxxx");
// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);
var authenticationResult = authenticationContext
.AcquireTokenAsync(ResourceUrl, "xxxxxxxx-3017-4833-9923-30d05726b32f", credential)
.Result;
string jwtToken = authenticationResult.AccessToken;
var cred = new Microsoft.Rest
.TokenCredentials(authenticationResult.AccessToken, "Bearer");
HttpClient client = new HttpClient();
var queryString = HttpUtility.ParseQueryString(string.Empty);
queryString["api-version"] = "1.6";
client.DefaultRequestHeaders
.Accept
.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);
var uri = "https://graph.windows.net/xxxxxxxx-18fe-xxxx-bb90-d62195600495/users/xxxxxxxx-aa58-4329-xxxx-b39af07325ee?" + queryString;
//var content = new StringContent("{\"passwordProfile\": {\"password\": \"Test123456\", \"forceChangePasswordNextLogin\": true }}");
var response = client.PatchAsync(new Uri(uri), content, jwtToken);
The PatchAsync
method is an extension method as below: PatchAsync
方法是一种扩展方法,如下所示:
public static class HttpClientExtensions
{
public static async Task<HttpResponseMessage> PatchAsync(this HttpClient client,
Uri requestUri, HttpContent iContent, string jwtToken)
{
var method = new HttpMethod("PATCH");
var request = new HttpRequestMessage(method, requestUri)
{
Content = iContent,
};
request.Content.Headers.ContentType =
new MediaTypeHeaderValue("application/json");
request.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", jwtToken);
HttpResponseMessage response = new HttpResponseMessage();
try
{
response = await client.SendAsync(request);
}
catch (TaskCanceledException e)
{
Console.WriteLine("ERROR: " + e.ToString());
}
return response;
}
}
Could someone please clarify if this is possible using the credentials grant flow with a username and password for authentication. 有人可以使用凭据授予流程以及用户名和密码进行身份验证来说明是否可行。 If so how do I achieve this?
如果是这样,我该如何实现?
You're mixing up Microsoft Graph and Azure AD Graph API. 您正在混合使用Microsoft Graph和Azure AD Graph API。 These are two different APIs and calls to one are not interchangeable with the other.
这是两个不同的API,对一个的调用不能与另一个互换。
You are correct in that you need to use the Directory.AccessAsUser.All
scope for this activity. 您是正确的,因为您需要为此活动使用
Directory.AccessAsUser.All
范围。 This scope allows the API to do anything to the AAD that the signed in user would be able to do themselves (ie change their own password). 此范围允许API对AAD进行登录用户可以自己做的任何事情(即更改他们自己的密码)。
Once you have a valid access_token
for the user with Directory.AccessAsUser.All
permission, you can update the user's passwordProfile
: 一旦具有
Directory.AccessAsUser.All
权限的用户具有有效的access_token
,就可以更新用户的passwordProfile
:
PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json
{
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.