Skip to content

Instantly share code, notes, and snippets.

@harryyoud

harryyoud/graph.md

Forked from thyxkris/graph.md
Last active February 8, 2021 14:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save harryyoud/51ff99345411c2c044016cd31ac24ee6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save harryyoud/51ff99345411c2c044016cd31ac24ee6 to your computer and use it in GitHub Desktop.
Download ZIP
How to Reset Or Update User Passwords In Azure AD with Microsoft Graph API
Raw
graph.md

How to Reset Or Update User Passwords In Azure AD with Microsoft Graph API

Background and Reason

There are two ways of using Microsoft Graph to read and write resources

  • Delegated permissions: can have delegated permissons, such as Directory.AsUser, but it must go through an interactive sign-in
  • Application permissions: doesn’t need an interactive sign-in, perfect for backend service to use. However, cannot have some delegated permission as it’s not a real user, so it’s unable to be delegated.

So, if we build a service or app to access the Microsoft graph, we have to use the application permission mode to avoid the interactive sign-in, which means the access is not triggered by any user. however, When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All, which is only a delegated permission. and that’s why the update of the password profile will fail regardless of what permissions assigned.

Solution

The workaround will be to add necessary roles, such as Password Administrator to Our Applications so that they can perform duties that would otherwise require a user with delegated permission to accomplish. This can be achieved by some Powershell modules.

There are two versions of the PowerShell module that you use to connect to Office 365 and administer user accounts, groups, and licenses:

  • Azure Active Directory PowerShell for Graph
  • Microsoft Azure Active Directory Module for Windows PowerShell

The solution to use MSOL

Install MSOL and login to your Azure Active Directory using MSOL.

Install-Module -Name MSOnline
Connect-MsolService

Getting the ObjectID of the Enterprise Application

We can get the Object ID with the following command:

$tenantID = "<Tenant ID>"
$appID = "<Application ID>"
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantID
$objectId = $msSP.ObjectId

Add a Role Member

Here we choose Password Administrator, so the role has only the minimum power to do password management.

Add-MsolRoleMember -RoleName "Password Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

The solution to use AAD PowerShell V2.0

Install AAD PowerShell V2.0 module and use it to connect azure AD

Install-Module AzureAD
Connect-AzureAD

Getting the ObjectID of the Enterprise Application

$mysp = Get-AzureADServicePrincipal -searchstring <your application name>
$mysp.ObjectId

Add a Role Member

$myAADRole = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq "Password Administrator"}
Add-AzureAD DirectoryRoleMember -ObjectId $myAADRole.ObjectId -RefObjectId $mysp.Object Id

Reference:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment