Forum Discussion
Resetting User’s Password using Microsoft Graph API
Working on a project to develop a tool and one aspect this tool is to rest a user’s password using Graph API with Application Permissions. Been searching on the internet and found a lot of suggestions on using delegate and application permissions; however, I was unable to get the password reset to work using Graph API.
Environment Information: we have an on premise active directory and user azure ad connect to sync account to Azure AD with Password write back.
Question: How can I reset a user’s password in Azure AD using only Microsoft Graph API with Application permissions? What permissions I’ll needed use for the application and URI I would need to use.
The last option I tried can be found on this website: https://levelup.gitconnected.com/how-to-reset-or-update-user-passwords-with-microsoft-graph-api-in-azure-ad-c6733c3b0ac3
From this website I tried “The solution to use AAD PowerShell V2.0”
Thank You,
Larry
- Afaik application permissions are not supported for this operation.
- Afaik application permissions are not supported for this operation.
- Thank You for responding
- VasilMichev
I working off the following Microsoft Document to reset a users password using graph.
https://docs.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword?view=graph-rest-beta&tabs=http
I created a service account:
- gave that account "Authentication admin" privileged
- add UserAuthenticationMethod.ReadWrite.All permission to app in APP Registration
Question: Do you have any recommendation on what I would need to get graph for PW reset to work?
Also, I have additional question, I'm still new to whole using Microsoft Graph API within my PowerShell. How can I make the payload (password) a $variable?
Thank You,
-Larry
Below is the snapshot of the script I'm trying to get to work
###############################################
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header Function
$AdminName = 'xxxxx@xxxx.com'
$EncryptPW = "xxxxxxxxxxxxxxxx"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString)
$UserAZGUID = 'XXXXXXXXXX-XXXXXXXXX-XX-XXXXXXXXXX-XXXX'
$HeaderRW = HeaderToken-RW
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetPassword"
$Body = '{"newPassword" : "password"}'
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"- Something like this should do:
$password = "password"
$Body = '{"newPassword" : $password}'
or you can just ask for input via Read-Host or similar. Or not specify a password at all, in which case a random one would be generated.
