Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.
passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn
Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn
List passwordMethods - Microsoft Graph beta | Microsoft Learn
Update user - Microsoft Graph v1.0 | Microsoft Learn
Azure Logic App (Consumption or Standard)
Azure Active Directory (AAD)
1.Create an AAD application registration
2.Add permission: UserAuthenticationMethod.ReadWrite.All
More details:
https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#permissions
3.Grant admin consent
4.Set up a logic app designer
Here we selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=password
&username={MyUsername}%40{myTenant}.com
&password={MyPassword}
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Action 2: HTTP – Get Pwd ID
This action is used to get Password Method ID.
Method: GET
URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods
Content-type: application/json
Reference:
https://learn.microsoft.com/en-us/graph/api/authentication-list-passwordmethods?view=graph-rest-beta&tabs=http
Action 3: HTTP – Update Pwd
This action is used to update the password of a user.
Method: POST
URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword
Content-type: application/json
Body:
{
"newPassword": "{myNewPassword}"
}
Reference:
https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#http-request
In URI, we can use this Expression to get the value of passwordMethodId:
body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']
1.Grant 4 permissions to application registration and grant admin consent
User.ManageIdentities.All
User.EnableDisableAccount.All
User.ReadWrite.All
Directory.ReadWrite.All
Reference:
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions
2.Add role assignment ‘User Administrator’ to application registration
In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.
Reference: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
3.Set up a logic app designer
Here we also selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Content-type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=client_credentials
Action 2: HTTP – Update Pwd
This action is used to update the password of a user.
Method: PATCH
URL: https://graph.microsoft.com/v1.0/users/{userObjectId}
Content-type: application/json
Body:
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "{myNewPassword}"
}
}
Reference:
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#example-3-update-the-passwordprofile-of-a-user-to-reset-their-password
We can check user password update records on AAD audit logs on azure portal:
AAD page -> Users -> AAD audit logs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.