Forum Discussion
Solved
Resetting User’s Password using Microsoft Graph API
Working on a project to develop a tool and one aspect this tool is to rest a user’s password using Graph API with Application Permissions. Been searching on the internet and found a lot of suggestions on using delegate and application permissions; however, I was unable to get the password reset to work using Graph API.
Environment Information: we have an on premise active directory and user azure ad connect to sync account to Azure AD with Password write back.
Question: How can I reset a user’s password in Azure AD using only Microsoft Graph API with Application permissions? What permissions I’ll needed use for the application and URI I would need to use.
The last option I tried can be found on this website: https://levelup.gitconnected.com/how-to-reset-or-update-user-passwords-with-microsoft-graph-api-in-azure-ad-c6733c3b0ac3
From this website I tried “The solution to use AAD PowerShell V2.0”
Thank You,
Larry
Hi, I know this is a few months late for you, but thought I would add this as we've seen the same issue with one particular SharePoint site this morning. Nothing that we could do within the Site or SharePoint Admin Center... but my colleague did use PowerShell to force the URL change and it worked.
15 Replies
- Afaik application permissions are not supported for this operation.
- VasilMichev
I working off the following Microsoft Document to reset a users password using graph.
https://docs.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword?view=graph-rest-beta&tabs=http
I created a service account:
- gave that account "Authentication admin" privileged
- add UserAuthenticationMethod.ReadWrite.All permission to app in APP Registration
Question: Do you have any recommendation on what I would need to get graph for PW reset to work?
Also, I have additional question, I'm still new to whole using Microsoft Graph API within my PowerShell. How can I make the payload (password) a $variable?
Thank You,
-Larry
Below is the snapshot of the script I'm trying to get to work
###############################################
Function HeaderToken-RW
{
# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$AppSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"
# Add System.Web for urlencode
Add-Type -AssemblyName System.Web
# Create body
$Body = @{
client_id = $AppId
client_secret = $AppSecret
scope = $Scope
grant_type = 'client_credentials'
}
# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
ContentType = 'application/x-www-form-urlencoded'
Method = 'POST'
# Create string by joining bodylist with '&'
Body = $Body
Uri = $Url
}
# Request the token!
$Request = Invoke-RestMethod @PostSplat
# Create header
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
Return $Header
}#End Header Function
$AdminName = 'xxxxx@xxxx.com'
$EncryptPW = "xxxxxxxxxxxxxxxx"
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AdminName, ($EncryptPW | ConvertTo-SecureString)
$UserAZGUID = 'XXXXXXXXXX-XXXXXXXXX-XX-XXXXXXXXXX-XXXX'
$HeaderRW = HeaderToken-RW
$PWResetURI = "https://graph.microsoft.com/beta/users/$UserAZGUID/authentication/passwordMethods/$UserAZGUID/resetPassword"
$Body = '{"newPassword" : "password"}'
$UserResult = Invoke-RestMethod -Headers HeaderRW -Uri $PWResetURI -Method POST -Body $Body -Credential $UserCredential -ContentType "application/json"- Something like this should do:
$password = "password"
$Body = '{"newPassword" : $password}'
or you can just ask for input via Read-Host or similar. Or not specify a password at all, in which case a random one would be generated.
- Thank You for responding
