Forum Discussion
Resetting User’s Password using Microsoft Graph API
- May 07, 2021Afaik application permissions are not supported for this operation.
$password = "password"
$Body = '{"newPassword" : $password}'
or you can just ask for input via Read-Host or similar. Or not specify a password at all, in which case a random one would be generated.
Thank You for responding, and sorry for not responding sooner apparently there was an issue with my RSS feed in Teams.
Can't use Read-Host, this function being build into a service desk application.
When I execute PW reset Function I receive the following error:
[Line 304] Password randomly generated by script kaHF539*@
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:76 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
###################################
Permission applied to the API
####################################
Function HeaderToken-RW
{
## extract of header token function - see the full Header Token function within this thread ##
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
Return $Header
}#End Header Function
## end of extract of header token function ##
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}
$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@$&%*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow
####################################
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)
$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetpassword"
$Body = '{"newPassword" : "$password"}'
$HeaderRW = HeaderToken-RW
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"
-Thank You
- VasilMichevMay 17, 2021MVPI dont see a request for actually getting the token, did you just omit it in the copy paste or in the actual script? 🙂
- EntilZhaMay 17, 2021Iron Contributor
VasilMichev Again Thank You.....
Here's the function I use to get the Token.
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header FunctionThank You,
-Larry
- VasilMichevMay 18, 2021MVPSo you're still using application permissions (client secret), they are not supported for this endpoint.