Azure.ActiveDirectory.GraphClient 'Insufficient privileges to complete the operation' in UpdateAsync (password reset)

Question

I'm trying to apply 'Reset password' in my security application.

this the script to execute reset button

    $scope.resetPassword = function () {
        $http({ method: 'POST', url: 'api/tenant/admin/user/resetpassword', data: $scope.tenantUserPostModel }).success(function (response, status) {
            if (response) {
                console.log('inside response ' + response);
                noty({ timeout: 2000, layout: 'topRight', text: 'Changes saved successfully', type: 'success' });
                document.getElementById("passwordDetails").style.display = "block";
            }
        });
    };

my api

[HttpPost]
    [Route("api/tenant/admin/user/resetpassword")]
    public async Task<IHttpActionResult> ResetPassword([FromBody]TenantUserPostModel model)
    {
        #region update azure ad user

        string userPrincipalName = model.UserName;
        if (!model.UserName.Contains("@"))
        {
            var DefaultDomain = ConfigurationManager.AppSettings["DefaultDomain"];
            userPrincipalName = model.UserName + "@" + DefaultDomain;
        }

        //*********************************************************************************************
        // update azure ad user
        //*********************************************************************************************
        var activeDirectoryClient = GetActiveDirectoryClientAsApplication();
        IUser userToBeUpdated = new Microsoft.Azure.ActiveDirectory.GraphClient.User();
        try
        {
            List<IUser> users = activeDirectoryClient.Users
                .Where(user => user.UserPrincipalName.Equals(userPrincipalName))
                .ExecuteAsync().Result.CurrentPage.ToList();
            userToBeUpdated = users.First();
        }
        catch (Exception e)
        {
            throw e;
        }

        userToBeUpdated.DisplayName = model.DisplayName;
        userToBeUpdated.GivenName = model.FirstName;
        userToBeUpdated.Surname = model.LastName;
        userToBeUpdated.AccountEnabled = model.IsActive;
        userToBeUpdated.PasswordProfile = new PasswordProfile
        {
            Password = model.TempPassword,
            ForceChangePasswordNextLogin = true
        };

        try
        {
            //error here 'Insufficient privileges to complete the operation'
            await userToBeUpdated.UpdateAsync(false);
        }
        catch (Exception e)
        {
            throw e;
        }
        #endregion
        return this.Ok(model.Id);
    }

screenshot of my azure permissions

I already click the grant the permission after enabling the 'Access the directory as the signed-user'

EDIT: I've added the method GetActiveDirectoryClientAsApplication. I don't if I'm doing it correctly or not.

    protected ActiveDirectoryClient GetActiveDirectoryClientAsApplication()
    {
        Uri servicePointUri = new Uri(_GraphResourceId);
        Uri serviceRoot = new Uri(servicePointUri, _Tenant);
        var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
             async () => await AcquireTokenAsyncForApplication());
        return activeDirectoryClient;
    }

    private string GetTokenForApplication()
    {
        if (ExtendedUserProfile == null)
            throw new Exception("initialize ExtendedUserProfile...");
        string AuthString = _AadInstance + _Tenant;
        AuthenticationContext authenticationContext = new AuthenticationContext(AuthString, false);
        ClientCredential clientCred = new ClientCredential(_ClientId, _Key);
        AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(_GraphResourceId,
            clientCred).Result;
        string token = authenticationResult.AccessToken;
        return token;
    }

    private async Task<string> AcquireTokenAsyncForApplication()
    {
        return GetTokenForApplication();
    }

Answer 1

Based on the way this function is called: GetActiveDirectoryClientAsApplication();

You are probably getting an access token with client credentials, i.e. as the application. This means delegated permissions (like Access directory as the signed in user) do not apply. Only application permissions apply.

You need to use On-Behalf-Of to exchange the access token your API got for an access token to Azure AD Graph API. That will be a token in user context and thus delegated permissions apply.

• My article on the flow: https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core
• Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-on-behalf-of
• Example app: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof