CODEWITHSUNDEEP
azureazure-active-directorymicrosoft-graph-apimicrosoft-graph-sdks
nam
nam

Reputation: 23819

Microsoft-Graph - As an Azure AD Admin how you can get a valid access_token for another user

If I understood the response from user @MarcLaFleur here: Resetting a user's password using Microsoft Graph, if you are an Azure AD admin and want to reset a password of another user using Microsoft Graph API then you need to have a valid access_token for the user with Directory.AccessAsUser.All permission, and then you can update the user's passwordProfile.

Question: Using Microsoft Graph, as an Azure AD Admin, how can we get access_token for another user?

Authentication Page of my App Registration:

enter image description here

Upvotes: 0

Views: 204

Answers (1)

Joy Wang
Joy Wang

Reputation: 42073

If you are an Azure AD admin and want to reset the password of another user using Microsoft Graph API, you just need to get the token for the admin account itself, not the user you want to change.

In this case, you could use the auth code flow.

1.In your AD App, add the permissions like below -> click Grant admin consent for xxx button.

enter image description here

2.Login your admin account with the url below in the browser.

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<client-id>
&response_type=code
&redirect_uri=<redirect_uri>
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

enter image description here

3.Use the code to get the token.

enter image description here

4.Use the token to change the password of a normal user.

enter image description here

You could also use the Microsoft Graph SDK, use Authorization code provider.

Something like below:

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithRedirectUri(redirectUri)
    .WithClientSecret(clientSecret) // or .WithCertificate(certificate)
    .Build();

AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication, scopes);

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var user = new User
            {
                PasswordProfile = new PasswordProfile
                {
                    ForceChangePasswordNextSignIn = true,
                    Password = password,
                }
            };

await graphClient.Users[userId]
                   .Request()
                   .UpdateAsync(user);

Upvotes: 1

Related Questions