Forum Discussion
Permissions required to update password
Hi there
I'm trying to update a user's password using the graph api (terraform really).
Creating a user and setting an initial password using a service principal that has the application role "User.ReadWrite.All" works as expected - however updating the password with the same service principal does not work.
What role should I use instead? Is it even possible?
Stefan
- That's the last scenario, updating password for an admin user. In this case, GA or Privileged Auth admin is required. For regular users, all you need is User admin.
3 Replies
- As detailed in the documentation, you need additional permissions to update passwords:
passwordProfile PasswordProfile Specifies the password profile for the user. The profile contains the user's password. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. As a best practice, always set the forceChangePasswordNextSignIn to true. This cannot be used for federated users.
In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Microsoft Entra role.
In addition, if you plan to update the password of a user in admin role, you will need Privileged auth admin role assigned.Thanks VasilMichev !
From https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/authorization-request-denied-graph-api it looks like I need the "Company Administrator" role - you say "User Administrator"?
- That's the last scenario, updating password for an admin user. In this case, GA or Privileged Auth admin is required. For regular users, all you need is User admin.
