stackoom
  简体   繁体   中英

Change Azure AD B2C User Password with Graph API

 原文  2017-08-08 20:37:52       oauth-2.0/ azure-active-directory/ azure-ad-b2c/ azure-ad-graph-api

Question

I'm trying to use the Sample Graph API app to change a user's password but I'm getting:

Error Calling the Graph API Response: 

{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    }
  }
}

Graph API Request: 

PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM

JSON File 

{
    "passwordProfile": {
        "password": "Somepassword1$",
        "forceChangePasswordNextLogin": false
    }
}

I've tested updating the user's displayName and that works fine. 

{
    "displayName": "Joe Consumer"
}

AD Application Permissions

I've configured my app permissions as described here.

AD App权限

2 answers

solution1
 11 ACCPTED  2017-08-15 21:03:39

Check out this article . Seems like it has the same symptoms.

Solution 1:

If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.

  • Go to Azure Management Portal and click Active Directory.
  • Select your custom AD directory.
  • Click Applications and select your Application.
  • Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
  • Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
  • Finally save the changes.

Solution 2:

If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator . As of now, you can only add this role via the Azure AD Powershell module .

  1. Find the service principal using Get-MsolServicePrincipal –AppPrincipalId 

     Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize

  2. Use Add-MsolRoleMember to add it to Company Administrator role 

     $clientIdApp = 'your-app-id' $webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.

创建全局管理员

通过powershell连接

get-msolservice主要截图

添加角色截图

solution2
 0  2017-08-30 14:56:15

Try below settings, works for me.

在此输入图像描述

Used the below JSON 

 {
  "accountEnabled": true,
  "signInNames": [
    {
      "type": "emailAddress",
      "value": "kart.kala1@test.com"
    }
  ],
  "creationType": "LocalAccount",
  "displayName": "Joe Consumer",
  "mailNickname": "joec",
  "passwordProfile": {
    "password": "P@$$word!",
    "forceChangePasswordNextLogin": false
  },
  "passwordPolicies": "DisablePasswordExpiration",
  "givenName": "Joe",
}

Also make sure you assign the application the user account, administrator role which will allow it to delete users link here

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD B2C Graph API 401 Unauthorized Proper Core 3.0 API middleware to connect Azure AD B2C user to my database account? Web API chains (On-Behalf-Of) in Azure AD B2C Authenticating as a Service with Azure AD B2C Revocation endpoint in Azure AD B2C Azure AD B2C authorization code flow - accessing graph.windows.net How to validate the user id token after user password changes in AD B2C How can I Retrieve Access Token with password credentials in Postman for Azure AD B2C? Impersonation from Azure AD to Azure B2C Accessing user data from Azure B2C AD with OAuth 2.0
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM