Cannot update Azure AD password with Microsoft Graph API

Question

The following is the request I'm using for the PATCH request for updating a user's password.

var token = TokenHelper.GetToken().AccessToken;
var client = new RestClient("https://graph.microsoft.com/v1.0/users/" + person.UserPrincipalName);
client.Timeout = -1;
var request = new RestRequest(Method.PATCH);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer " + token);
request.AddParameter("application/json", "{\n\"passwordProfile\": {\n \"password\": \"" + person.NewPassword + "\"\n}\n}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

If I type a complex password I get:

{
  "error": {
    "code": "Request_BadRequest",
    "message": "One or more properties contains invalid values.",
    "innerError": {
      "request-id": "5d97b465-7b27-4328-b0d9-4e9112f2257e",
      "date": "2020-01-03T16:57:35"
    }
  }
}

If I type a simple password I get:

{
  "error": {
    "code": "Request_BadRequest",
    "message": "The specified password does not comply with password complexity requirements. Please provide a different password.",
    "innerError": {
      "request-id": "986fd0da-90d4-45c7-ba74-1ba2bec61956",
      "date": "2020-01-03T17:05:15"
    }
  }
}

If I type no password my response is a 204 No Content (success) and it is working fine if I update other fields(i.e. mobileNumber).

Answer 1

In order to change a user's password, you need to authenticate using either the Authorization Code or Implicit OAuth grant. In addition, you need to request the delegated scope Directory.AccessAsUser.All. From the documentation:

When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.

You should also set forceChangePasswordNextSignIn to true.