SOLVED

Permissions required to update password

Copper Contributor

Hi there

 

I'm trying to update a user's password using the graph api (terraform really).

Creating a user and setting an initial password using a service principal that has the application role "User.ReadWrite.All" works as expected - however updating the password with the same service principal does not work.

What role should I use instead? Is it even possible?

Stefan

3 Replies
As detailed in the documentation, you need additional permissions to update passwords:

passwordProfile PasswordProfile Specifies the password profile for the user. The profile contains the user's password. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. As a best practice, always set the forceChangePasswordNextSignIn to true. This cannot be used for federated users.

In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Microsoft Entra role.

In addition, if you plan to update the password of a user in admin role, you will need Privileged auth admin role assigned.

Thanks @VasilMichev !

From https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/authorization-request-denied-g... it looks like I need the "Company Administrator" role - you say "User Administrator"?

best response confirmed by StefanMagnusLandromollerno (Copper Contributor)
Solution
That's the last scenario, updating password for an admin user. In this case, GA or Privileged Auth admin is required. For regular users, all you need is User admin.
1 best response

Accepted Solutions
best response confirmed by StefanMagnusLandromollerno (Copper Contributor)
Solution
That's the last scenario, updating password for an admin user. In this case, GA or Privileged Auth admin is required. For regular users, all you need is User admin.

View solution in original post