获得“403禁止”从Azure AD Graph API尝试重置用户的密码 [英] Getting "403 Forbidden" from Azure AD Graph API trying to reset a user's password
问题描述
我们尝试使用Azure AD Graph API重置用户密码,但收到"403 Forbidden"当我们尝试进行重置操作时。在用户使用Web API登录的情况和退出时,调用都会失败。
调用来自我们的Web API应用程序,它具有我们认为正确的权限:
- "读写目录数据" - Directory.ReadWrite.All
- "登录并阅读用户个人资料" - User.Read
- "以登录用户身份访问目录" - Directory.AccessAsUser.All
以下是我们正在进行的密码重置操作的详细信息: https://docs.microsoft.com/en-gb/ previous-versions / azure / ad / graph / api / users-operations#reset-a-users-password -
有关为什么不起作用的任何建议?
我不完全确定如何解释文档的这一部分:
"委托范围User.ReadWrite.All或Directory.AccessAsUser.All是需要重置用户的密码。除了正确的范围之外,登录用户还需要足够的权限来重置其他用户的密码。"
当用户登录时,我们的应用程序是否只有这些委派的范围?当它指的是"登录用户"时这可能意味着我们的申请?或者我们需要一个特殊的管理员用户才能完成此操作吗?
任何帮助都很赞赏:)。
在您的情况下,是,因为具有已登录用户的应用程序使用委派权限,并且用户或管理员通常同意应用程序请求的权限(在您的情况下为Microsoft Graph权限)(在您的情况下
您的Web API)。 当您向应用程序提供委派权限时,它为您的应用程序授予以登录用户身份执行操作的权限。
$
请您确认管理员已同意Directory.AccessAsUser.All和Directory.ReadWrite.All 使用"授予权限"的权限来自"所需权限"的按钮刀片在azure门户网站上注册应用程序
,因为这两个权限需要管理员同意。
您还可以使用
Azure AD Graph Explorer 并发出类似https://graph.windows.net/tenantname.onmicrosoft.com/oauth2PermissionGrants的查询。
您可以尝试使用Microsoft Graph REST API重置用户密码,Microsoft建议使用最新的Microsoft Graph而不是使用Azure AD Graph API。 您可以参考更新
用户 使用passwordProfile属性上的PATCH操作重置密码的文档,如下所示 -PATCH https:// graph.microsoft.com/v1.0/users/{id | userPrincipalName} Content-type:application / jsonAuthorization:bearer TOKEN {    " passwordProfile":    {      " forceChangePasswordNextSignIn":假,      " password":" XXXXXXXXX"   }}
We're trying to reset user password using Azure AD Graph API but receiving a "403 Forbidden" when we try to do the reset operation. The call fails in both the scenario where the user is signed-in with the Web API and when they are signed-out. The call is made from our Web API application which has what we think are the correct permissions:
- "Read and write directory data" - Directory.ReadWrite.All
- "Sign in and read user profile" - User.Read
- "Access the directory as the signed-in user" - Directory.AccessAsUser.All
Here are the details of the password reset operation we are doing: https://docs.microsoft.com/en-gb/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--
Any suggestions as to why this isn't working?
I am not entirely sure how to interpret this section of the documentation:
"Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password."
Does our application only have these delegated scopes when a user is signed-in? When it refers to "the signed-in user" could this mean our application? Or do we need a special admin user to complete this operation?
Any help at all appreciated :).
In your case, yes as Delegated permissions are used by the applications that has a signed-in user present and an user or administrator normally consents to the permissions (in your case Microsoft Graph permissions) requested by the application (in your case your Web API). When you provide a delegate permissions to your application it gives your application privileges to perform the action on as signed-in user.
Can you please make sure that you as an Admin has consented to the Directory.AccessAsUser.All and Directory.ReadWrite.All Permissions by using the "Grant Permissions" button from "Required permissions" blade while registering the application on azure portal as these two permissions require admin consents.
You can also look at what has been consented for a particular app by using the Azure AD Graph Explorer and making a query like https://graph.windows.net/tenantname.onmicrosoft.com/oauth2PermissionGrants.You can try for Microsoft Graph REST API to reset user password as well as Microsoft recommends to use the latest Microsoft Graph instead of using Azure AD Graph API. You can refer to update user documentation to reset the password using the PATCH operation on passwordProfile property like below -
PATCH https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}Content-type: application/jsonAuthorization: bearer TOKEN{ "passwordProfile": { "forceChangePasswordNextSignIn":false, "password": "XXXXXXXXX" }}
这篇关于获得“403禁止”从Azure AD Graph API尝试重置用户的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
