azure - Microsoft Graph resetPassword API returns accessDenied even with Privileged Auth Admin role (app-only flow) - Stack Over

admin管理员组

文章数量:1297030

I’m attempting to call the Microsoft Graph resetPassword endpoint (documentation: .0&tabs=http) using an app-only (client_credentials) token. Despite assigning my service principal to the Privileged Authentication Administrator role at the directory level and granting the necessary Graph application permissions, I consistently receive an HTTP 403 Forbidden with the error accessDenied (message: “The user is not authorized to access this resource.”).

Below are my details:

Service Principal Role

The app (service principal) is assigned to Privileged Authentication Administrator in Azure AD → Roles and administrators. I waited sufficient time for the role assignment to propagate and then requested a fresh token. Graph Permissions (App-Only)

In Azure AD App Registrations → API permissions, I have Application permissions for: • UserAuthenticationMethod.ReadWrite.All • Directory.ReadWrite.All These permissions have been granted admin consent. My JWT’s roles claim shows them correctly. Request Details

I’m using the following cURL request. The personal access token is hidden. Refer to the official API documentation here: .0&tabs=http

curl --location '.0/users/{id | userPrincipalName}/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer <TOKEN>'
--data '{ "newPassword": "NewPassword123!" }'

Question: What else could cause the resetPassword call to return accessDenied in an app-only scenario, given that the service principal is in Privileged Auth Admin and has the correct Graph permissions? Has anyone successfully called this endpoint with phone/email methods in production?

Any guidance is greatly appreciated. I’m on a CSP subscription, so I can’t open a direct Microsoft support ticket.

I’m attempting to call the Microsoft Graph resetPassword endpoint (documentation: https://learn.microsoft/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-1.0&tabs=http) using an app-only (client_credentials) token. Despite assigning my service principal to the Privileged Authentication Administrator role at the directory level and granting the necessary Graph application permissions, I consistently receive an HTTP 403 Forbidden with the error accessDenied (message: “The user is not authorized to access this resource.”).

Below are my details:

Service Principal Role

The app (service principal) is assigned to Privileged Authentication Administrator in Azure AD → Roles and administrators. I waited sufficient time for the role assignment to propagate and then requested a fresh token. Graph Permissions (App-Only)

In Azure AD App Registrations → API permissions, I have Application permissions for: • UserAuthenticationMethod.ReadWrite.All • Directory.ReadWrite.All These permissions have been granted admin consent. My JWT’s roles claim shows them correctly. Request Details

I’m using the following cURL request. The personal access token is hidden. Refer to the official API documentation here: https://learn.microsoft/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-1.0&tabs=http

curl --location 'https://graph.microsoft/v1.0/users/{id | userPrincipalName}/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer <TOKEN>'
--data '{ "newPassword": "NewPassword123!" }'

Question: What else could cause the resetPassword call to return accessDenied in an app-only scenario, given that the service principal is in Privileged Auth Admin and has the correct Graph permissions? Has anyone successfully called this endpoint with phone/email methods in production?

Any guidance is greatly appreciated. I’m on a CSP subscription, so I can’t open a direct Microsoft support ticket.

• azure
• azure-active-directory
• microsoft-graph-api

Share Improve this question Follow asked Feb 11 at 16:13 Sumit SawantSumit Sawant 2111 silver badge99 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 0

I have recently implemented this feature by following the steps outlined below.

Please ensure that the following permissions are enabled in your B2C application.

1- User-PasswordProfile.ReadWrite.All

2- UserAuthenticationMethod.ReadWrite.All

Generate a token by making a request to the endpoint provided below in order to interact with the Graph API.

Call the endpoint provided below to update the user data.

The request body should include the new password in the "Password" field.

For additional guidance, please refer to the resources provided below.

https://learn.microsoft/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

https://learn.microsoft/en-us/graph/api/resources/passwordprofile?view=graph-rest-1.0

I had the same issue, and found it very frustrating, no matter what I would try, I always get a 403. I could get it done with the help from MS (credits go to Lucian Wu).

The problem you are facing, is because according to the documentation of the API, this endpoint is not accepted to be called by an "Application", only with a Delegated permission. https://learn.microsoft/en-us/graph/api/user-changepassword?view=graph-rest-1.0&tabs=http#permissions.

When I was granting the role of Authentication Administrator to my ServicePrincipal, it also needs to call a graph API application. And I was granting the SP Microsoft Graph UserAuthenticationMethod.ReadWrite.All with admin consent. But you see, when you grant admin consent, you actually grant an application permission, and this is what is not allowed by the API endpoint according to the doc. If you grant "delegated" then something must call the Service Principal/app registration as the middle-layer interface.

And this is what you need. Something to act as a middle layer. And also, unfortunately, a user object to start the flow. Now, your "application" would be requesting using the user/pass of this user, and sending the request to the App registration you created.

A flow that allows that to work is: Create a user object. Assign it to the role of Authentication Administrator

Then, Create an app registration. Under certificates & Secrets, create a secret for it. Under API permissions add as "delegated": Microsoft Graph

• openid
• User.Read
• User.AuthenticationMethod.ReadWrite.All

Once those two are in place, then you need to use the ROPC flow: https://learn.microsoft/en-us/entra/identity-platform/v2-oauth-ropc

Get a token by hitting: https://login.microsoftonline//oauth2/v2.0/token with a x-www-form-urlencoded:

• client_id:
• scope: user.read openid
• username:
• password:
• client_secret:
• grant_type: password

The request will return a "access_token" in the json. use this access token to get to the Password reset api: https://graph.microsoft/v1.0/users/<UPN_or_ID>/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword with header: Authorization : Bearer <access_token_above> and body: { "newPassword": "yourNewPassword" } Things to note If you are using this in an automated setting (say from a logic app, or script), you are really using a user upn and password, which is not ideal... MFA will be a complicator, so you will need to go around your Conditional Access policies and add this user as exemption.

Besides that, you will need to take extra care with those credentials, as the Authentication is privileged role. If you are using this setup try to reduce the scope of the user by adding the role to an Administrative Unit.

Hope that this helps. If I find a better solution, I'll update this post

本文标签：