Forum Discussion
Resetting User’s Password using Microsoft Graph API
- Afaik application permissions are not supported for this operation.
- VasilMichev
I working off the following Microsoft Document to reset a users password using graph.
https://docs.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword?view=graph-rest-beta&tabs=http
I created a service account:
- gave that account "Authentication admin" privileged
- add UserAuthenticationMethod.ReadWrite.All permission to app in APP Registration
Question: Do you have any recommendation on what I would need to get graph for PW reset to work?
Also, I have additional question, I'm still new to whole using Microsoft Graph API within my PowerShell. How can I make the payload (password) a $variable?
Thank You,
-Larry
Below is the snapshot of the script I'm trying to get to work
###############################################
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header Function
$AdminName = 'xxxxx@xxxx.com'
$EncryptPW = "xxxxxxxxxxxxxxxx"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString)
$UserAZGUID = 'XXXXXXXXXX-XXXXXXXXX-XX-XXXXXXXXXX-XXXX'
$HeaderRW = HeaderToken-RW
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetPassword"
$Body = '{"newPassword" : "password"}'
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"- Something like this should do:
$password = "password"
$Body = '{"newPassword" : $password}'
or you can just ask for input via Read-Host or similar. Or not specify a password at all, in which case a random one would be generated.Thank You for responding, and sorry for not responding sooner apparently there was an issue with my RSS feed in Teams.
Can't use Read-Host, this function being build into a service desk application.
When I execute PW reset Function I receive the following error:
[Line 304] Password randomly generated by script kaHF539*@
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:76 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand###################################
Permission applied to the API
####################################
Function HeaderToken-RW
{## extract of header token function - see the full Header Token function within this thread ##
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"Return $Header
}#End Header Function## end of extract of header token function ##
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}
$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@$&%*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow####################################
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetpassword"
$Body = '{"newPassword" : "$password"}'
$HeaderRW = HeaderToken-RW
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"-Thank You
- Thank You for responding
