1

I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs

I have Directory.ReadWrite.All User.ReadWrite.All (delegated) and User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.

PATCH https://graph.microsoft.com/v1.0/users/principalname@blah.in
Content-type: application/json
Authorization: bearer TOKEN

{
     "passwordProfile":
    {
      "forceChangePasswordNextSignIn":false,
      "password": "XXXXXXXXX"
    }

}

When I execute this I get the following error

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
            "date": "2019-05-10T05:13:19"
        }
    } }

I am unable to understand why I am getting this error because all permissions are given for the user.

I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
KurioZ7
  • 6,028
  • 13
  • 46
  • 65
  • 1
    I will update you with the result. Admin takes time to provide permissio, as per internal process. – KurioZ7 May 13 '19 at 03:11

1 Answers1

2

Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.

See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • My bad that I didn't read that line. I have to ask my admin to provide this permission and see if this solves the issue. – KurioZ7 May 10 '19 at 06:10
  • @KurioZ7 Be very careful with this permission. It will allow your app to do *anything* the signed-in user is allowed to do in Azure AD. If the signed-in user is an admin, this could be very impact full. If your app's code or the app's server is compromised (e.g. if your credential management was anything less than perfect), the app has all the powers of the admin. – Philippe Signoret May 10 '19 at 17:17