无法通过Microsoft Graph更改/重置Azure AD用户密码 [英] Can’t able to change/reset Azure AD user password by Microsoft Graph

问题描述

I use Microsoft Graph (GraphServiceClient) to create/update user data to Azure AD in ASP .NET Core 2.0. There is no problem in creating user, update user details. But not able to change/reset user password through this.

在Azure中:我具有Azure免费订阅并创建了一个APP，以获取/更新用户

In Azure: I have Azure free subscription and created an APP to get/update user (using clientid and secret). I also provide below permission to Microsoft Graph in Azure portal.

读写目录数据 ，  阅读 并写入目录数据，读取所有用户的完整配置文件，

Read and Write directory data, Read and Write directory data, Read all user full profiles, , Read and Write all user full profiles

仍然无法通过使用以下代码来更新密码，返回错误代码:Authorization_RequestDenied消息:特权不足，无法完成操作."

Still not able to update password by using below code returns error "Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation."

等待graphClient.Users ["UserId"].Request().UpdateAsync(new User());

有什么方法可以使用c#使用Microsoft Graph更新密码?

Is there any way to update password using Microsoft Graph using c# ?

推荐答案

你好塞尔瓦，

您必须为服务主体分配用户帐户管理员或全局管理员特权，以使其起作用.

You have to assign the service principal either user account administrator or Global Administrator Privileges for this to work. 

请按照以下步骤将您的服务主体添加为用户帐户管理员.将应用程序添加为Global Administrator是有风险的，因此不建议这样做.

Follow the below steps to add your service principal as a user account administrator. Adding application as Global Administrator is risky and not recommended.

1. Connect-MsolService

2. Get-MsolRole -RoleName用户帐户管理员"；从此命令获取角色ID.它将是"fe930be7-5e62-47db-91af-98c3a49a38b1 "

2.  Get-MsolRole -RoleName "User Account Administrator" Take the Role ID from this command. It will be "fe930be7-5e62-47db-91af-98c3a49a38b1 "

3. Get-MsolServicePrincipal -AppPrincipalId<您的APP ID> 提供您的应用ID/客户端ID，并获取服务主体ID

3.  Get-MsolServicePrincipal -AppPrincipalId <Your APP ID>  Provide your app ID/client ID and get the service principal Id 

4.  Add-MsolRoleMember -RoleObjectId<来自步骤2的角色ID> -RoleMemberObjectId<来自步骤3的服务主体ID>

4. Add-MsolRoleMember -RoleObjectId <Role ID from step 2> -RoleMemberObjectId <Service Principal Id from Step 3>

为此发送一个新令牌，然后尝试更改密码.

Post this acquire a new token and then try to change the password.

这篇关于无法通过Microsoft Graph更改/重置Azure AD用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！