How to use azure logic app to update AAD user’s password automatically
Published Oct 19 2023 02:48 AM 5,297 Views
Microsoft

Scenario

Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.

 

References

passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn

Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn

List passwordMethods - Microsoft Graph beta | Microsoft Learn

Update user - Microsoft Graph v1.0 | Microsoft Learn

 

Services Used

Azure Logic App (Consumption or Standard)

Azure Active Directory (AAD)

 

Solution 1

1.Create an AAD application registration

2.Add permission: UserAuthenticationMethod.ReadWrite.All


s1-1.png

More details: 

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#permissions

 

3.Grant admin consent

 

s1-2.png

 

s1-3.png

 

4.Set up a logic app designer

Here we selected 'When a http request is received' as a trigger.

Action 1: HTTP – Get token

This action is used to get token. This token will be used in the following actions.


Method: POST

 

URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

 

Content-Type: application/x-www-form-urlencoded

 

Body:

client_id={MyClientID}

&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

&client_secret={MyClientSecret}

&grant_type=password

&username={MyUsername}%40{myTenant}.com

&password={MyPassword}

 

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

s1-4.png

 

Action 2: HTTP – Get Pwd ID

This action is used to get Password Method ID.

 

Method: GET

 

URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods

 

Content-type: application/json

 

Reference:

https://learn.microsoft.com/en-us/graph/api/authentication-list-passwordmethods?view=graph-rest-beta&tabs=http

 

s1-5.png

 

Action 3: HTTP – Update Pwd

This action is used to update the password of a user.

Method: POST

 

URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword

 

Content-type: application/json

 

Body:
{
"newPassword": "{myNewPassword}"
}

Reference:

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#http-request

In URI, we can use this Expression to get the value of passwordMethodId:

body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']

 

s1-6.png

 

Solution 2

1.Grant 4 permissions to application registration and grant admin consent

 

User.ManageIdentities.All

User.EnableDisableAccount.All

User.ReadWrite.All

Directory.ReadWrite.All

 

Reference:

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions 

 

s2-1.png

 

2.Add role assignment ‘User Administrator’ to application registration

 

s2-2.png

 

In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.

 

Reference: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

 

s2-3.png

 

3.Set up a logic app designer

Here we also selected 'When a http request is received' as a trigger.

 

Action 1: HTTP – Get token

This action is used to get token. This token will be used in the following actions.

 

Method: POST

URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token 

Content-type: application/x-www-form-urlencoded

 

Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=client_credentials

s2-4.png

 

Action 2: HTTP – Update Pwd

This action is used to update the password of a user.

 

Method: PATCH

URL: https://graph.microsoft.com/v1.0/users/{userObjectId}

Content-type: application/json


Body:

{

  "passwordProfile": {

    "forceChangePasswordNextSignIn": false,

    "password": "{myNewPassword}"

  }

}


Reference:

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#example-3-update-the-passwordprofile-of-a-user-to-reset-their-password

 

s2-5.png

 

Result

We can check user password update records on AAD audit logs on azure portal:

 

AAD page -> Users -> AAD audit logs

 

s1-7.png

2 Comments
Co-Authors
Version history
Last update:
‎Oct 18 2023 07:28 AM
Updated by: