Insufficient privileges for password reset

Question

My goal is to allow users to change and reset their own passwords within my application. We do not want users to be redirected to consent pages.

I\'ve followed the i

Answer 1

So I will caveat this answer with the fact that there may be good reasons for doing what you are doing, but you should be aware of all the things that the organization will lose by bypassing Azure AD sign-in and related features like SSPR. Please see this excellent blog post that describes some of the things you'll lose - plus while this is still relevant, there are now MORE security features that your customer will lose, like conditional access.

Anyways, assuming you want to press ahead... For your scenario (an app service that bypasses Azure AD SSPR and change password experiences), there is an option for change password (that it appears we did not document - filing a bug for that) and regrettably nothing I can offer for password reset. Let me address the first one.

1. Change Password - in Microsoft Graph (although not documented) you'll find the "changePassword" method on user - ../users/{id}/changePassword, which takes the old password and a new password. This API works ONLY for the signed-in user (so it requires the delegated OAuth2 code flow). It requires an admin to consent for Directory.AccessAsUser.All (although we are looking at adding a more granular permission).

2. Reset password - there is no app-only permission exposed by Microsoft Graph for this. This is an extremely powerful permission to grant to an application. You've already been given the workaround by support, for an admin to explicitly grant this using powershell. This grants your app a lot of privileges to your customer's resources. Alternatively, there is a delegated permission (Directory.AccessAsUser.All) that allows an admin user to reset another user's password. However this wouldn't be a self-service experience.

Hope this helps,

Answer 2

I have resolved this after talking to Microsoft.

Turns out that app registrations need a role assigned to them.

1. Install the Azure AD Module - https://docs.microsoft.com/en-us/powershell/msonline/
2. Open a “Microsoft Azure Active Directory Module for Windows PowerShell” command prompt:

$AADCreds = Get-Credential // You will be prompted for your credentials
Import-Module MSOnline Connect-MsolService -Credential $AADCreds Get-MsolServicePrincipal -AppPrincipalId "" // Note: Copy the ObjectId for your Service Principal
Add-MsolRoleMember -RoleName "" -RoleMemberObjectId -RoleMemberType ServicePrincipal

I used "User Account Administrator" for the directory role.