Reputation: 2552
Azure AD: Change user password from Custom App
We are using several LDAPs in our company, that includes Azure AD for Office365, Google, and OpenLDAP - internal one.
We are working on some sort of independent front web face where users would be able to change some of their data including password, any change made by user should be automatically updated and replicated across all 3 LDAP's.
I'm using custom Python script to achieve that, however experiencing problem with Azure AD, it doesn't allow me to change the password.
I'm able to view all users and their data, however not able to change password. When I do authentication request it answer me back with permissions which were granted to my app:
scope = Directory.Read Directory.ReadWrite.All Directory.Write offline_access recipient.manage User.ReadWrite User.ReadWrite.All user_impersonation UserProfile.Read
However response from server is:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
So as I see "Directory.ReadWrite.All" is not enough, I also have "UserProfile.Read", however not "UserProfile.Write" I didn't find any settings in App Configuration which would allow me to grand that access
These are my all App permissions:
A bit of Python code:
graphusersurl = GRAPH_API_URL % (TENANT_ID, 'users/<User_ObjectID>', API_VER)
graphheaders={'Authorization': "%s %s" % (TOKEN_TYPE_VALUE, access_token),
'Content-Type': 'application/json',
}
passworddata = {
"passwordProfile":
{ "password":'<NEW_USER_PASSWORD>',
"forceChangePasswordNextLogin":False
}
}
Could you tell me please what I am doing wrong? and how can i get authorized to perform such action?
Upvotes: 1
Views: 1326
Answers (1)
Reputation: 2116
Based on the error message, the issue occurs because the users who have any of the "Administrator" organizational roles are not members of "Company Administrator" or "User Account Administrator" in the Office 365 administrative roles.
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
To resolve this issue, please refer to the KB which provides the solutions: https://support.microsoft.com/en-us/kb/3004133. I have quoted the key messages here for your quick reference:
Please add your application to "Company Administrator" in the Office 365 administrative roles. To do this, run all the following Azure AD Module for Windows PowerShell (MSOL) cmdlets:
#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the [email protected] format)
#-----------------------------------------------------------
Connect-MsolService
#-----------------------------------------------------------
# Replace the Application Name with the name of your
# Application Service Principal
#-----------------------------------------------------------
$displayName = "Application Name"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
#-----------------------------------------------------------
# This will add your Application Service Prinicpal to
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "Company Administator"
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId
Also, you must add your application to "User Account Administrator" in the Office 365 administrative roles if the Azure AD user has any of the following "Administrator" organizational roles:
• Global Administrator
• Billing Administrator
• Service Administrator
To do this, run all the following MSOL cmdlets:
#-----------------------------------------------------------
# This will prompt you for your tenant's credential
# You should be able to use your your Azure AD administrative user name
# (in the [email protected] format)
#-----------------------------------------------------------
Connect-MsolService
#-----------------------------------------------------------
# Replace the Application Name with the name of your
# Application Service Principal
#-----------------------------------------------------------
$displayName = "Application Name"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
#-----------------------------------------------------------
# This will add your Application Service Principal to
# the Company Administrator role
#-----------------------------------------------------------
$roleName = "User Account Administator"
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId
After you run both sets of cmdlets, your application will be enabled to change the password of all "Administrator" organizational roles.
Please note, it can take up to 30 minutes for the permissions to be applied to the Application Service Principal after you add the permissions to the Office 365 administrative roles.
Should you have any other concerns, please feel free to let us know.
Upvotes: 1
Related Questions
- How to update password for guest users in azure ad using graph API.? Python
- Graph API to change another users password
- Microsoft Graph Api-Change Password
- How to update the password of user in azure ad using graph api
- Cannot update Azure AD password with Microsoft Graph API
- How to create microsoft app password using API?
- Change password using Graph API (Azure AD B2C)
- Azure AD B2C Connected user change password with Graph AD API
- Change Password for Azure AD using Microsoft Graph
- Change Azure AD B2C User Password with Graph API