Update Microsoft Azure account password from php as Organization

Question

I am currently trying to sync the password a user is using on my website (simple Php and Mysql) with the password of an account on Microsoft that I have created for them. So basically they all have a {user_id}@mydomain.com account with a random password, and if they want to use it they basically re-enter their password on a dedicated page on the client area of my website, so that I make an API call and update the random password with their own.

• I am working without a signed-in user (for obvious reasons)
• I have correctly set up the required "application permissions": User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

BUT, it says I don't have enough permissions:

array(1) { ["error"]=> array(3) { ["code"]=> string(27) "Authorization_RequestDenied" ["message"]=> string(50) "Insufficient privileges to complete the operation." ["innerError"]=> array(2) { ["request-id"]=> string(36) "acb8b9c7-6a63-4157-8c92-de5f49a69ac8" ["date"]=> string(19) "2020-04-30T17:13:04" } } }

This is the code I am currently using to update the password, in case it helps:

$password = array(
                    'forceChangePasswordNextSignIn' => false,
                    'forceChangePasswordNextSignInWithMfa' => false,
                    'password' => $_POST['password']
                );

                $data = array(
                    'passwordProfile' => $password
                );

                $updatePassword = patch_microsoft_graph('users/'.$userID,$data,true);

I also leave you the reference for the patch_microsoft_graph() function:

function patch_microsoft_graph($scope,$data,$object) {

            $access_token = get_microsoft_access_token();

            if(!$scope) {
                return 'no $scope';
            }


            $payload = json_encode($data);


            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,"https://graph.microsoft.com/v1.0/$scope");
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
            curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
            curl_setopt($ch, CURLOPT_HTTPHEADER, array("application/x-www-form-urlencoded"));
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

            $headers = [
                "Authorization: $access_token",
                "Host: graph.microsoft.com",
                "Content-Type: application/json",
                "Accept: application/json"
            ];

            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

            $server_output = curl_exec($ch);

            curl_close ($ch);

            return json_decode($server_output,$object);
        }

Can someone help? Thanks in advance

Answer 1

• Here's the related documentation for the API call. So just make sure you set the correct permissions (whether you're using Application or delegated permissions, as per the document.)
• Also please check whether the account that you're using to update the password has any roles assigned. Say, when updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All. In case, if you're updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.

Try the above and let me know how it goes.