0

I am trying to change the password of a newly created user in Azure AD using Graph API. I am able to accomplish this for a user with a permanent password(password already changed once using the Azure UI) by calling the graph api using the access token for the user in the headers as shown below: 

https://graph.windows.net/<tenant_name>/me/changePassword?api-version=1.6 

Request Body : {"currentPassword": "Password1!","newPassword": "Password2!"}

However, I am not able to achieve the same API call for a newly created user who has a Azure-provided temporary password. This is because I am unable to acquire the access token for this user using the ADAL4J API which returns an error "AADSTS50055: Force Change Password." So if I cant acquire the token for the new user how do I change the password?

adarsh hegde
  • 1,353
  • 2
  • 21
  • 43

1 Answers1

0

I assume that you were acquire the access token using the Resource Owner password credential flow.

When we create a user using Azure AD Graph REST, we can disable changing the password when users sign-in first time. Here is a example for your reference:

POST:https://graph.windows.net/xxxx.onmicrosoft.com/users?api-version=1.6
authorization: bearer {access_token}
content-type: application/json


{
  "accountEnabled": true,
  "displayName": "User7",
  "mailNickname": "User7",
  "passwordProfile": {
    "password": "Test1234",
    "forceChangePasswordNextLogin": false
  },
  "userPrincipalName": "User7@xxxx.onmicrosoft.com"
}

Then we can use the Resource Owner password credential flow to acquire the access token for this user like below(ensure the parameter was URL encoded if you send it directly):

POST:https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
resource=https%3A%2F%2Fgraph.windows.net&client_id={clientId}&grant_type=password&username={userName}&password=Test1234&client_secret={secret}

Then we can update the user's password using the access token above. And this Azure AD Graph REST require grant the permission Directory.AccessAsUser.All.

Update

The users have to change their password when they login the Azure AD(no mater the app developed by you or using the Azure portal) first time when you set forceChangePasswordNextLogin to true. Here is a figure for your reference: enter image description here

Update2

And in this scenario, there is no need to redirect yourself, Azure AD will handle all of these for us. When the users try to login-in your app first time, after users enter the correct username/password it requires users to change their password. After users changing the password, it will redirect to your app automatically.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • thanks for the answer. However, I need to encorporate the force password change on first time login into my application. Since there is no way to find out first time login from my custom app I have to rely on Azure AD for it. Thus I need a way to change the temporary password itself. Is it possible to achieve it in an interactive way using the Azure UI? – adarsh hegde Jan 24 '17 at 06:21
  • Did you want to change the password when users login-in your app first time? If I understood correctly, this is by design when you set `forceChangePasswordNextLogin` true. The users will require the change their password as figure(see the update in the post). – Fei Xue Jan 24 '17 at 06:40
  • Preferably I want to do this using Graph API from my app itself. If there is no way to do that only then I will think of using the Azure UI. – adarsh hegde Jan 24 '17 at 06:57
  • If you want to change the password using the Graph API, then you need to set `forceChangePasswordNextLogin` to false, then you can follow the steps in the post to update the password. Please feel free to let me know if I misunderstood the scenario. – Fei Xue Jan 24 '17 at 07:07
  • Yes I can do that but, I wont be able to identify that it is the first time login for the user and force password change. Is there a way to identify first time login if forceChangePasswordNextLogin is false? Thus I am working with forceChangePasswordNextLogin=true where Azure AD returns me an error on first time login saying "Change password". Then I want to call the change password api which updates the temporary password with the permanent password. – adarsh hegde Jan 24 '17 at 07:23
  • 1
    In this scenario, there is no need to implement the **password change** feature in you web app. It is recommend to use the build-in feature to enforce users to change their password. This is more secure. Because users can login with their template password with **any other apps** if we set `forceChangePasswordNextLogin` to false. And in your app, we are only able to detect whether the users login **YOUR** app first time and this need to implement yourself. For example, you can log the history when users login-in and check this history to detect whether users login first time. – Fei Xue Jan 24 '17 at 07:48
  • So you say I redirect my user to the change password page of Azure UI. What is the address to which I need to redirect in that case? And how do I redirect the user back to my web app after password change? – adarsh hegde Jan 24 '17 at 08:59
  • 1
    There is no need to redirect yourself, Azure AD will handle all of these for us. When the users try to login-in your app first time, after users enter the correct username/password it requires users to change their password. After users changing the password, it will redirect to your app automatically. – Fei Xue Jan 24 '17 at 09:28
  • Thanks I was able to get it working. I redirected my user to the Azure UI for change password and after completion the Azure UI redirects back to my app. @Fei Xue - MSFT If you post your answer I can mark it as correct. – adarsh hegde Jan 30 '17 at 12:30