Azure 从 API 调用 Microsoft Graph 时 AD B2C 重置密码选项
[英]Azure AD B2C reset password options when calling Microsoft Graph from an API
问题描述
Is there any way to reset a B2C user's password from a b2c app granted only application permissions for Microsoft Graph?
有什么方法可以从仅授予 Microsoft Graph 应用程序权限的 b2c 应用程序重置 B2C 用户的密码?
We have a scenario where there are non email users in a multi-tenant app and we need to allow admins to reset passwords.我们有一个场景,在多租户应用程序中有非 email 用户,我们需要允许管理员重置密码。 To provide user management features we have an app service which uses the .net Microsoft.Graph SDK. It seems the only way to reset a users password is to use resestPassword , but this cannot be called by an Application.为了提供用户管理功能,我们有一个应用程序服务,它使用 .net Microsoft.Graph SDK。似乎重置用户密码的唯一方法是使用resestPassword ,但这不能被应用程序调用。
As far as I can see the only option open to us is to setup a user for this task and store their details in Azure Key vault, then have the app sign in as the user to call the endpoint.据我所知,对我们开放的唯一选项是为此任务设置一个用户并将其详细信息存储在 Azure Key vault 中,然后让应用以用户身份登录以调用端点。
I would really like to avoid this approach if possible and it seems like this must be a common scenario so I am hoping there is a better way?如果可能的话,我真的很想避免这种方法,这似乎是一种常见的情况,所以我希望有更好的方法?
2 个解决方案
解决方案1
1 2023-01-23 07:33:51
Hi you can use update user to reset a B2C user's password.您好,您可以使用更新用户来重置 B2C 用户的密码。
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "xWwvJ]6NMw+bWH-d"
}
}
For more information: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions更多信息: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions
解决方案2
1 已采纳 2023-01-23 08:19:02
I tried to reproduce the same in my environment and got the results like below:我试图在我的环境中重现相同的内容并得到如下结果:
Note that: As per the MsDoc , currently it is not possible to reset password for users with granting only Application permissions.
Resetting the users password with Application permissions will lead to the below error:重置具有应用程序权限的用户密码将导致以下错误:
POST https://graph.microsoft.com/v1.0/users/UserID/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword
Content-type: application/json
{
"newPassword": "xxxx"
}
Alternatively , I created an Azure AD Application and granted below API permissions:或者,我创建了一个 Azure AD 应用程序并授予以下 API 权限:
Grant User Administrator role to the Service principal like below:将用户管理员角色授予服务主体,如下所示:
Now generate the access token via Client Credential flow using below parameters:现在使用以下参数通过客户端凭证流生成访问令牌:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
Using the above generated token, try resetting the password using the below query:使用上面生成的令牌,尝试使用以下查询重置密码:
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json
{
"passwordProfile": {
"password": "xxxx"
}
}
You can use forceChangePasswordNextSignIn parameter based on your requirement.您可以根据需要使用forceChangePasswordNextSignIn参数。
References:参考:
Azure Reset Password using Graph API by CarlZhao-MSFT Azure 使用图 API 重置密码,CarlZhao-MSFT
Reset a user's password in ADB2C using MS Graph API by kh_Ro 使用 MS Graph 在 ADB2C 中重置用户密码 API by kh_Ro
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.