Forum Discussion
Resetting User’s Password using Microsoft Graph API
- Afaik application permissions are not supported for this operation.
VasilMichev Again Thank You.....
Here's the function I use to get the Token.
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header Function
Thank You,
-Larry
- So you're still using application permissions (client secret), they are not supported for this endpoint.
Again Thank you for responding!!!
Yes that is correct, using the application token did not work. Since I wasn't having any luck getting this API call to work i tried using -Header or -credential or both options.At the bottom of this messages is the function I tried using just credentials and this too failed with the following error.
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:30 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExcepDo you have a recommendation on how I can get this to work?
Thank You,
-Larry
$Key = 'XXXXXXXXXXXXXX'
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetp..."
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@&%(*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow$EncryptUserPW = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Body = '{"newPassword" : "$EncryptUserPW"}'
$UserResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"- You need to pass the token as part of the header. Also, you seem to be passing the user's GUID instead of the actual authentication method id. Here's a working example:
$body = @{
"newPassword" = "Parola123"
}
$uri = "https://graph.microsoft.com/beta/users/user@domain.com/authentication/passwordMethods/28c10230-6103-485e-b985-444c60001490/resetPassword"
Invoke-WebRequest -Headers $authHeader -Uri $uri -Method Post -ErrorAction Stop -Body ($body | ConvertTo-Json -Depth 6)
