CODEWITHSUNDEEP
.netazureazure-active-directorymicrosoft-graph-apiazure-ad-b2c
Ilia Khapaev
Ilia Khapaev

Reputation: 11

Change user password using Microsoft.Azure.ActiveDirectory.GraphClient

I've tried to change user password using ChangeUserPassword method from Microsoft.Azure.ActiveDirectory.GraphClient. I've even added User.ReadWrite.All, Directory.AccessAsUser.All for b2c app, but it doesn't work. Is it possible to change password for my users using this method?

When I try to change password I get the following response: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Access to change password operation is denied."},...}}

For updating another info of user and reset password it works fine.

Upvotes: 1

Views: 563

Answers (4)

AlfredoRevilla-MSFT
AlfredoRevilla-MSFT

Reputation: 3485

Actually its possible for a B2C user to change its own password. Get an standard (non B2C) AAD access token with scope=Directory.AccessAsUser.All using your upn (usually something like objectid@b2ctenantfullname, you can get this querying AAD Graph too) and call the ChangeUserPassword api. It will work.

Upvotes: 1

Sven
Sven

Reputation: 2505

I was able to set a new password for a user with the following code

public async Task SetUserPassword(string userId)
{
    var toUpdate = await _activeDirectoryClient.Users.GetByObjectId(userId).ExecuteAsync();
    toUpdate.PasswordProfile = new PasswordProfile
    {
        Password = "test!345G",
        ForceChangePasswordNextLogin = false
    };
    await toUpdate.UpdateAsync();
}

Upvotes: 0

Chris Padgett
Chris Padgett

Reputation: 14634

I believe the GraphClient.ChangeUserPassword method invokes the changePassword action that only allows the signed-in user to change their own password.

This isn't possible for an Azure AD B2C local account user.

Instead, you must PATCH the passwordProfile property for the user object such as:

PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version=1.6
Content-Type: application/json

{
  "passwordProfile": {
    "forceChangePasswordNextLogin": false,
    "password": "Test1234"
  }
}

Note that it's important to set the forceChangePasswordNextLogin property to false otherwise the local account user can't be logged in to.

Upvotes: 0

rbrayb
rbrayb

Reputation: 46720

As per this, did you grant your application the User administrator role? This gives your application the ability to delete users or update passwords.

Upvotes: 0

Related Questions