Forum Discussion
Resetting User’s Password using Microsoft Graph API
- Afaik application permissions are not supported for this operation.
Thank You for responding, and sorry for not responding sooner apparently there was an issue with my RSS feed in Teams.
Can't use Read-Host, this function being build into a service desk application.
When I execute PW reset Function I receive the following error:
[Line 304] Password randomly generated by script kaHF539*@
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:76 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
###################################
Permission applied to the API
####################################
Function HeaderToken-RW
{
## extract of header token function - see the full Header Token function within this thread ##
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
Return $Header
}#End Header Function
## end of extract of header token function ##
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}
$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@$&%*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow
####################################
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)
$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetpassword"
$Body = '{"newPassword" : "$password"}'
$HeaderRW = HeaderToken-RW
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"
-Thank You
VasilMichev Again Thank You.....
Here's the function I use to get the Token.
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header FunctionThank You,
-Larry
- So you're still using application permissions (client secret), they are not supported for this endpoint.
Again Thank you for responding!!!
Yes that is correct, using the application token did not work. Since I wasn't having any luck getting this API call to work i tried using -Header or -credential or both options.At the bottom of this messages is the function I tried using just credentials and this too failed with the following error.
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:30 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExcepDo you have a recommendation on how I can get this to work?
Thank You,
-Larry
$Key = 'XXXXXXXXXXXXXX'
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetp..."
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@&%(*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow$EncryptUserPW = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Body = '{"newPassword" : "$EncryptUserPW"}'
$UserResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"