Permission issue changing user password using Azure AD Graph client API

Question

I am trying to create a page in ASP.Net MVC to reset the current user\'s password. I am using Azure active directory for user authentication. To access, the user\'s AD informa

Answer 1

You can change the password from your application only if you give to it the right privilege. The approach explained by Martyn C is the best approach if you can impersonate the user, which, of course, has the permission to change his password. With my approach there's no need to use any UserCredentials since the permissions will be assigned to the application that will be able to change the password for other users. A typical use case is when you need to manage password change from api with a non-interactive flow. This implies you must trust the application's code and use it carefully.

I used to grant the Helpdesk Administrator role to my app which is enough to change password to other users. Through this powershell script:

Install-Module MSOnline
Install-Module AzureAD
Connect-MsolService
Connect-AzureAD

$applicationId = "{your app ID}"
$sp = Get-MsolServicePrincipal -AppPrincipalId $applicationId
Add-MsolRoleMember -RoleObjectId  -RoleMemberObjectId $sp.ObjectId -RoleMemberType servicePrincipal

You should connect using a User with Administrator Privileges on your Active Directory. You can get the propert roleID using this command:

Get-AzureADDirectoryRole

Now your app has enough privileges to call the PATCH method (from Microsoft Docs) to change the password for other users.