Azure AD B2C Connected用户使用Graph AD API更改密码 [英] Azure AD B2C Connected user change password with Graph AD API

问题描述

我们正在使用Azure AD B2C，并且我正在尝试为已登录的用户实现changePassword函数.我们已按照本教程 https://docs.microsoft.com/zh-cn/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ，并且我们已经成功使其成功. 但是我们希望已登录的用户可以更改其现有密码(直接在应用程序中).我们找到了这种方法( https ://msdn.microsoft.com/fr-fr/library/azure/ad/graph/api/functions-and-actions#changePassword )，但我们无法使其正常工作...

We are using Azure AD B2C and I'm trying to implement the changePassword function for signed-in users. We have followed this tutorial https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet, and we have succeeded to make it worked. But we want signed-in users to have the possibility to change their existing password (directly in applications). We found this method (https://msdn.microsoft.com/fr-fr/library/azure/ad/graph/api/functions-and-actions#changePassword) but we failed to make it work...

在AD B2C中与已登录用户一起使用AD Graph API的标准工作流程是什么? 我有一个与B2C租户链接的应用程序.我已经创建了Android和iOS应用程序，并且由于注册或登录政策的缘故，我能够连接并获取令牌，这一点还可以... 并行地，我创建了一个服务应用程序以便使用AD Graph API(由于上面的第一个链接). 我们成功地测试了一些操作，例如获取用户列表，找到特定用户，更改某些....但是现在我想对连接的用户(第二个li)使用方法"changePassword"，但我使用它失败.我不知道要提供哪个访问令牌，两个测试(使用来自应用程序服务凭据的令牌或使用由于登录策略而收到的访问令牌)都失败了? 另一个问题，我用PowerShell创建的应用程序服务在Azure门户中不可见是正常的吗?

What is the standard workflow for using AD Graph API in AD B2C with signed-in users ? I have an application linked to a B2C tenant. I have created both Android and iOS apps and I am able to connect and get tokens thanks to the sign-up or sign-in policy, this point is OK... In parallel I have created a service app in order to use the AD Graph API (thanks to the first link above). We have suceeded in testing some operations like get the lists of users, find a specific user, change some.... But now I want to use the method "changePassword" for the connected users (second li) and I have failed using it. I don't know which access token to provide, both tests (using the token from the app service credential or using the access token received thanks to the signin policy) have failed ?? Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??

谢谢;)

推荐答案

其他问题，我用PowerShell创建的应用程序服务在Azure门户中不可见是正常的吗?

Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??

我们可以通过搜索appPrincipalId来找到由PowerShell创建的服务主体，如下所示:

We can locate the service principal which created by PowerShell by searching the appPrincipalId like below:

要执行Azure AD Graph的更改密码REST API，我们需要提供委托访问令牌.在这种情况下，我们可以使用资源所有者密码凭据流，该流程需要用户的用户名和密码进行身份验证.要使用此流程，我们可以注册服务主体，如下所示:

To perform the change password REST API of Azure AD Graph, we need to provide the delegate access token. In this scenario, we can use resource owner password credentials flow which require users' username and password for the authentication. To use this flow we can register the service principal like below:

$app = New-AzureRmADApplication -DisplayName "appPS2" -HomePage "https://adb2cfei.onmicrosoft.com/appPS2" -IdentifierUris "https://adb2cfei.onmicrosoft.com/appPS2" -Password "123"

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

然后，我们需要登录Azure经典门户以授予委托权限Directory.AccessAsUser.All，如下图:

Then we need to login the Azure classic portal to grant the delegate permission Directory.AccessAsUser.All as figure below:

以下是使用资源所有者密码凭据流来获取令牌的代码:

Here is the code to acquire the token using the resource owner password credentials flow:

Post: https://login.microsoftonline.com/adb2cfei.onmicrosoft.com/oauth2/token

resource=https%3a%2f%2fgraph.windows.net&client_id={ $app.ApplicationId}&grant_type=password&username=fx%40adb2cfei.onmicrosoft.com&password={currentPassword}&client_secret=123

然后我们可以使用此令牌来更改登录用户的密码，如下所示:

Then we can use this token to change the password of the sign-in user like below:

POST: https://graph.windows.net/adb2cfei.onmicrosoft.com/me/changePassword?api-version=1.6

authorization: bearer {access_token}
content-type: application/json

{
"currentPassword":"{currentPassword}",
"newPassword":"{newPassword}"
}

这篇关于Azure AD B2C Connected用户使用Graph AD API更改密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！