cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Permissions required to update password

StefanMagnusLandromollerno
Copper Contributor

‎Nov 10 2023 07:23 AM

‎Nov 10 2023 07:23 AM

Permissions required to update password

Hi there

 

I'm trying to update a user's password using the graph api (terraform really).

Creating a user and setting an initial password using a service principal that has the application role "User.ReadWrite.All" works as expected - however updating the password with the same service principal does not work.

What role should I use instead? Is it even possible?

Stefan

Labels:
129 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Nov 10 2023 08:26 AM

‎Nov 10 2023 08:26 AM

Re: Permissions required to update password

As detailed in the documentation, you need additional permissions to update passwords:

passwordProfile PasswordProfile Specifies the password profile for the user. The profile contains the user's password. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. As a best practice, always set the forceChangePasswordNextSignIn to true. This cannot be used for federated users.

In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Microsoft Entra role.

In addition, if you plan to update the password of a user in admin role, you will need Privileged auth admin role assigned.
0 Likes
Reply
StefanMagnusLandromollerno

‎Nov 10 2023 08:35 AM

‎Nov 10 2023 08:35 AM

Re: Permissions required to update password

Thanks @Vasil Michev !

From https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/authorization-request-denied-g... it looks like I need the "Company Administrator" role - you say "User Administrator"?

0 Likes
Reply
best response confirmed by StefanMagnusLandromollerno (Copper Contributor)
Vasil Michev

‎Nov 11 2023 06:51 AM

‎Nov 11 2023 06:51 AM

Solution

Re: Permissions required to update password

That's the last scenario, updating password for an admin user. In this case, GA or Privileged Auth admin is required. For regular users, all you need is User admin.
0 Likes
Reply