Microsoft Graph API Password Reset Only Accepts Null password

Question

I am trying to reset another user's password through the Graph API (specifically graph.windows.net, though the same behavior occurs using graph.microsoft.com as well).

I believe all security is properly set up. The application registration has the Directory.ReadWrite.All permissions and the service principal is a Global Administrator. There are no errors regarding insufficient privileges, but whenever I try to provide a password inside the password profile I get an error.

PATCH request to

https://graph.windows.net/{tenant_id}/users/{userPrincipalName}?api-version=1.6

with the following body gives me a 204 response.

{ 
    "passwordProfile": {
        "password": null,
        "forceChangePasswordNextSignIn": true 
    }
}

But the same request with a password of "P@ssword1" or any other valid password returns a 400 Bad Request with the message "One or more properties contains invalid values."

Anyone encountered anything like this? These are accounts being synced from local AD but the password reset has been turned on in Azure and you can manually reset the passwords in AAD. Any help or advice is much appreciated.

Answer 1

It turns out this was a problem with how AD sync is set up in their environment. Apparently a federated domain syncing to Azure AD locks out the ability to reset passwords via the Graph API but the error messages don't tell you its a permissions issue.

It's outline here under unsupported operations, my problem was not understanding the full AD environment set-up: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

Answer 2

You're calling the wrong URL, graph.windows.net is the legacy Azure AD Graph API. The Microsoft Graph APIs are located at graph.microsoft.com. While these APIs are similar in function, they're calling paterns are very different.

As kikang mentioned, in order to change a user's password you need need to request the Directory.AccessAsUser.All scope. There are a few important cavetes with this scope:

1. This is a Delegated scope, so it can only be requested when using Authorization Code or Implicit OAuth flows. It cannot be used with Client Credentials.

2. Before a User can consent to Director.AccessAsUser.All, you must first obtain Admin Consent from an Admin on the user's AAD tenant/instance.

Once you have the proper scopes consented, you need to issue a PATCH to the /user resource.

Your call will look similar to this:

PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json

{
  "passwordProfile": {
    "forceChangePasswordNextSignIn": true,
    "password": "A-Strong-Password"
  }
}

Answer 3

According to your description, I assume you want update user's password through the Graph API.

According to this document, when we update the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.

Based on my test, we can modify someone's password by using the following steps:

1. Grant the permission by following this document.

2. Check the password in the profile whether satisfy minimum requirements as specified by the passwordPolicies property.

3. Use the following request to update someone's password.

The Request URL:

PATCH /users/{id | userPrincipalName}

And the request body:

{ "passwordProfile": { "forceChangePasswordNextSignIn": true, "password": "P@assword1" } }

If successful, this request returns a 204 No Content response code.