May 07 2021 07:37 AM
Working on a project to develop a tool and one aspect this tool is to rest a user’s password using Graph API with Application Permissions. Been searching on the internet and found a lot of suggestions on using delegate and application permissions; however, I was unable to get the password reset to work using Graph API.
Environment Information: we have an on premise active directory and user azure ad connect to sync account to Azure AD with Password write back.
Question: How can I reset a user’s password in Azure AD using only Microsoft Graph API with Application permissions? What permissions I’ll needed use for the application and URI I would need to use.
The last option I tried can be found on this website: https://levelup.gitconnected.com/how-to-reset-or-update-user-passwords-with-microsoft-graph-api-in-a...
From this website I tried “The solution to use AAD PowerShell V2.0”
Thank You,
Larry
May 07 2021 10:05 AM
SolutionMay 13 2021 04:48 AM
May 13 2021 06:26 AM
May 13 2021 08:48 AM
May 17 2021 06:37 AM - edited May 17 2021 06:38 AM
Thank You for responding, and sorry for not responding sooner apparently there was an issue with my RSS feed in Teams.
Can't use Read-Host, this function being build into a service desk application.
When I execute PW reset Function I receive the following error:
[Line 304] Password randomly generated by script kaHF539*@
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:76 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
###################################
Permission applied to the API
####################################
Function HeaderToken-RW
{
## extract of header token function - see the full Header Token function within this thread ##
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
Return $Header
}#End Header Function
## end of extract of header token function ##
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}
$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@$&%*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow
####################################
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)
$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetp..."
$Body = '{"newPassword" : "$password"}'
$HeaderRW = HeaderToken-RW
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"
-Thank You
May 17 2021 08:32 AM
May 17 2021 09:05 AM
@VasilMichev Again Thank You.....
Here's the function I use to get the Token.
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header Function
Thank You,
-Larry
May 18 2021 12:40 AM
May 18 2021 05:01 AM
Again Thank you for responding!!!
Yes that is correct, using the application token did not work. Since I wasn't having any luck getting this API call to work i tried using -Header or -credential or both options.
At the bottom of this messages is the function I tried using just credentials and this too failed with the following error.
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:30 char:15
+ ... serResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Bo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExcep
Do you have a recommendation on how I can get this to work?
Thank You,
-Larry
$Key = 'XXXXXXXXXXXXXX'
$AdminName = 'XXXXXXXXXX.com'
$EncryptPW = "XXXXXXXXXXXXXXXX"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString -Key $Key)
$UserAZGUID = 'XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetp..."
function Get-RandomCharacters($length, $characters)
{
$random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
$private:ofs=""
return [String]$characters[$random]
}
$password = Get-RandomCharacters -length 2 -characters 'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 2 -characters '!@&%(*'
Write-Host "[Line 304] Password randomly generated by script "$password -ForegroundColor Yellow
$EncryptUserPW = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Body = '{"newPassword" : "$EncryptUserPW"}'
$UserResult = Invoke-RestMethod -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"
May 18 2021 09:22 AM
May 19 2021 12:07 PM
May 20 2021 12:23 AM
May 20 2021 05:34 AM
May 20 2021 08:42 AM
May 20 2021 10:55 AM
May 07 2021 10:05 AM
Solution