Microsoft Graph API - Update password - Insufficient privileges to complete the operation

Question

I am trying to update a user via Microsoft Graph API, I am able to update the DisplayName but the PasswordProfile I get an error:

Insufficient privileges to complete the operation.

Here are the roles associated to the token when I decoded the JWT token at http://jwt.io :

"roles": [
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Group.ReadWrite.All"
],

Based on the documentation it seems these permissions should suffice.

Here is my code (taken from a console app), I was able to figure out the call is failing via Fiddler, the UpdateAsync does not throw an exception.

try
{
    var userId = "9a5413cd-85ff-4ad1-ab2f-b443941abd8e";
    var token = GetToken().Result;
    System.Console.Write($"Token: {token}");

    var newPassword = "TwDx5zgHxe51DZZ";
    GraphServiceClient graphClient = GetAuthenticatedClient(token);

    // This works -- Updating Display name
    graphClient.Users[userId].Request().UpdateAsync(new User
    {
        DisplayName = "NewDisplayName"
    });

    // This does not work - Updating password
    graphClient.Users[userId].Request().UpdateAsync(new User
    {
        PasswordProfile = new PasswordProfile
        {
            Password = newPassword,
                ForceChangePasswordNextSignIn = true
        }
    });
    System.Console.WriteLine("---Update Complete---");
}
catch (Exception e)
{
    System.Console.WriteLine(e);
}

Method for getting token:

public async Task<string> GetToken()
{
    //  Constants
    var tenant = "dev-mytenantmydomaincom";
    var resource = "https://graph.microsoft.com/";
    var clientID = "XXXXXXXX-87ef-494d-b921-cf8956006b0e";
    var secret = "zgkzas2THJLiD5XXXXXX";

    //  Ceremony
    var authority = $"https://login.microsoftonline.com/{tenant}";
    var authContext = new AuthenticationContext(authority);
    var credentials = new ClientCredential(clientID, secret);
    var authResult = await authContext.AcquireTokenAsync(resource, credentials);
    return authResult.AccessToken;
}

Here is the full response via Fiddler:

HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
client-request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"SliceB","ScaleUnit":"001","Host":"AGSFE_IN_27","ADSiteName":"EST"}}
Duration: 69.2849
Date: Thu, 31 Aug 2017 13:15:34 GMT

{
    "error": {
        "code": "Authorization_RequestDenied",
            "message": "Insufficient privileges to complete the operation.",
                "innerError": {
            "request-id": "6edcf194-7705-4cd7-8144-767925cc9ee4",
                "date": "2017-08-31T13:15:34"
        }
    }
}    

Answer 1

For anyone arriving at this Q&A in 2021 - there is a password reset endpoint in Graph:

POST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword

You will have to retrieve the id of the password authentication method first.

The permission needed for this operation is UserAuthenticationMethod.ReadWrite.All which can be granted as an Application type permission.

See the documentation: https://learn.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword

Update

Even though the permission can be granted as an Application type permission, the call will not succeed in Application Context. See https://learn.microsoft.com/en-us/answers/questions/246207/34upn-from-claims-with-value-null-is-not-a-valid-u.html

Answer 2

An easy solution we found out is to add the application principal to the "Helpdesk administrator" role.

1. Go to Azure Active Directory
2. On the left click on Roles and administrators
3. Search for the Helpdesk administrator role and click on it

4. Click on Add assignments and paste your application object id
5. Wait 5 minutes or so for azure to take the changes into account

Answer 3

Passwords are a particularly sensitive data set and therefore have some unique permissions to them. From the documentation:

When updating the passwordProfile property, the following scope is required: Directory.AccessAsUser.All.

The Directory.AccessAsUser.All is a Delegated Permission that requires an Admin. In other words, it allows someone a Global Administrator to change other another user's passwordProfile.

If you're looking to allow the end user to change their password themselves, there is also a baked in ChangePassword method in the SDK:

await graphClient.Me.ChangePassword("current-pwd, "new-pwd").Request().PostAsync();

Note: that this also requires that Admin Consent be granted for DirectoryAccessAsUser.All before a user can execute it)

Keep in mind that DirectoryAccessAsUser.All is a "Delegated" rather than an "Application" permission scope. This means it is only supported by the Authorization Code and Implicit flows; it will not work for daemon/service scenarios using the Client Credentials flow.

If you consider the potential exploits that could be achieved by a non-interactive application having the ability to change user's passwords at will, the reason for this restriction is pretty clear.