3

I am updating an user's password via nodejs-graph-API application(with Application token) with below endpoint

PATCH /users/{userId}

{
  passwordProfile: {
    forceChangePasswordNextSignIn: true,
    password: newPassword,
 }

I provided all the application, delegated access

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

I do have two tenants (one for dev and another one for prod) in dev tenant things working fine but it failing in prod tenant

Error:

Error: Could not update password. Error: Authorization_RequestDenied

Permission screen enter image description here

enter image description here

enter image description here

Suresh
  • 1,199
  • 2
  • 12
  • 36
  • 1
    Try giving your App the Global Admin role and see if you can update the user or not? – Shiva Keshav Varma May 24 '21 at 07:28
  • @ShivaKeshavVarma already its there, attached new image to description. App admin, Cloud App admin, reports reader – Suresh May 24 '21 at 08:27
  • 2
    Suresh, Please give the global administrator role only, not App admin, Cloud App admin, reports reader. – Shiva Keshav Varma May 24 '21 at 08:57
  • @ShivaKeshavVarma any idea like how much time it takes for permission to propagate? One more than how its working my another tenant where there is no global admin permission – Suresh May 24 '21 at 09:06
  • @ShivaKeshavVarma providing Global Admin Role worked out but I am in a situation where I shouldn't use it (instead should provide appropriate one) – Suresh May 24 '21 at 09:28
  • @ShivaKeshavVarma Authentication administrator role also does the job. Maybe you post it as answer and ll accept it :) – Suresh May 24 '21 at 09:39
  • Glad to here that it worked for you :)- – Shiva Keshav Varma May 24 '21 at 10:34
  • I was struggling with a similar requirement editing one flag on AD users with Graph API. Found that "user administrator" or "authentication administrator" only works when you modify regular users' attributes. If you need to call the PATCH operation to set an attribute on a user which is not a regular user (like global admin), then you will need global admin. – Ahmet Nov 25 '21 at 04:10

1 Answers1

2

There are few cases where we cannot modify other user's data simply like that. Not just the permissions of API modify but also we need to be having a proper role to do some operation. As we are modifying the other user's password we should be having the highest or related role that can do it. I used to give Global Admin role which worked in my case.

As @Suresh suggested we can also use Authentication administrator role as it worked for him.

For permission to add to application may take few seconds time as it depends on different factors like internet etc.,

Shiva Keshav Varma
  • 3,398
  • 2
  • 9
  • 13