Microsoft Graph API - Update password - Insufficient privileges to complete the operation

Question

I am trying to update a user via Microsoft Graph API, I am able to update the DisplayName but the PasswordProfile I get an error:

I         


        

Answer 1

Passwords are a particularly sensitive data set and therefore have some unique permissions to them. From the documentation:

When updating the passwordProfile property, the following scope is required: Directory.AccessAsUser.All.

The Directory.AccessAsUser.All is a Delegated Permission that requires an Admin. In other words, it allows someone a Global Administrator to change other another user's passwordProfile.

If you're looking to allow the end user to change their password themselves, there is also a baked in ChangePassword method in the SDK:

await graphClient.Me.ChangePassword("current-pwd, "new-pwd").Request().PostAsync();

Note: that this also requires that Admin Consent be granted for DirectoryAccessAsUser.All before a user can execute it)

Keep in mind that DirectoryAccessAsUser.All is a "Delegated" rather than an "Application" permission scope. This means it is only supported by the Authorization Code and Implicit flows; it will not work for daemon/service scenarios using the Client Credentials flow.

If you consider the potential exploits that could be achieved by a non-interactive application having the ability to change user's passwords at will, the reason for this restriction is pretty clear.

Answer 2

An easy solution we found out is to add the application principal to the "Helpdesk administrator" role.

1. Go to Azure Active Directory
2. On the left click on Roles and administrators
3. Search for the Helpdesk administrator role and click on it

4. Click on Add assignments and paste your application object id
5. Wait 5 minutes or so for azure to take the changes into account