使用Microsoft Graph重置用户密码 [英] Resetting a user's password using Microsoft Graph

问题描述

我正在尝试编写一个Web门户，用户可以使用该门户来重置其自己的Azure AD密码.由于我的客户的要求， Azure AD SSPR不能选择.

I'm trying to write a web portal that users can use to reset their own Azure AD password. Because of the requirements of my client, the Azure AD SSPR is not an option.

要实现此目的，我使用的是Microsoft Graph.根据文档，如果您具有 User.ReadWrite.All 或 Directory.AccessAsUser.All 权限，则可以使用Microsoft Graph重置用户密码.

To achieve this I'm using Microsoft Graph. According to the documentation, it is possible to reset a users password using Microsoft Graph if you have User.ReadWrite.All or Directory.AccessAsUser.All permissions.

然后权限文档，备注指出，即使您具有 Directory.ReadWrite.All 权限，也无法重置用户密码.

Then the permissions documentation, the remarks it states that even if you have the Directory.ReadWrite.All permissions you won't be able to reset a users password.

我已经进行了测试，看是否可以正常工作，但得到了 HTTP 403 Forbidden (禁止的HTTP 403)响应.

I've done a test to see if this will work but I get an HTTP 403 Forbidden response.

我正在使用的代码是:

string ResourceUrl = "https://graph.windows.net/";
string AuthorityUrl = "https://login.microsoftonline.com/companyxxx.onmicrosoft.com/oauth2/authorize/";

//Create a user password cradentials.
var credential = new Microsoft.IdentityModel
    .Clients
    .ActiveDirectory
    .UserPasswordCredential("username@xxxx.com", "passwordxxx");

// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);

var authenticationResult = authenticationContext
    .AcquireTokenAsync(ResourceUrl, "xxxxxxxx-3017-4833-9923-30d05726b32f", credential)
    .Result;

string jwtToken = authenticationResult.AccessToken;
var cred = new Microsoft.Rest
    .TokenCredentials(authenticationResult.AccessToken, "Bearer");

HttpClient client = new HttpClient();
var queryString = HttpUtility.ParseQueryString(string.Empty);
queryString["api-version"] = "1.6";
client.DefaultRequestHeaders
    .Accept
    .Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);

var uri = "https://graph.windows.net/xxxxxxxx-18fe-xxxx-bb90-d62195600495/users/xxxxxxxx-aa58-4329-xxxx-b39af07325ee?" + queryString;

//var content = new StringContent("{\"passwordProfile\": {\"password\": \"Test123456\", \"forceChangePasswordNextLogin\": true }}");
var response = client.PatchAsync(new Uri(uri), content, jwtToken);

PatchAsync 方法是如下的扩展方法:

The PatchAsync method is an extension method as below:

public static class HttpClientExtensions
{
    public static async Task<HttpResponseMessage> PatchAsync(this HttpClient client,
        Uri requestUri, HttpContent iContent, string jwtToken)
    {
        var method = new HttpMethod("PATCH");
        var request = new HttpRequestMessage(method, requestUri)
        {
            Content = iContent,
        };
        request.Content.Headers.ContentType =
            new MediaTypeHeaderValue("application/json");

        request.Headers.Authorization =
            new AuthenticationHeaderValue("Bearer", jwtToken);

        HttpResponseMessage response = new HttpResponseMessage();
        try
        {
            response = await client.SendAsync(request);
        }
        catch (TaskCanceledException e)
        {
            Console.WriteLine("ERROR: " + e.ToString());
        }

        return response;
    }
}

有人可以使用凭据授予流以及用于验证的用户名和密码来说明是否可以这样做.如果可以，我该如何实现?

Could someone please clarify if this is possible using the credentials grant flow with a username and password for authentication. If so how do I achieve this?

推荐答案

您正在混合使用Microsoft Graph和Azure AD Graph API.这是两个不同的API，对一个的调用不能与另一个互换.

You're mixing up Microsoft Graph and Azure AD Graph API. These are two different APIs and calls to one are not interchangeable with the other.

您是正确的，因为您需要为此活动使用 Directory.AccessAsUser.All 范围.此范围允许API对AAD进行登录用户可以自己做的任何事情(即更改他们自己的密码).

You are correct in that you need to use the Directory.AccessAsUser.All scope for this activity. This scope allows the API to do anything to the AAD that the signed in user would be able to do themselves (i.e. change their own password).

一旦您对具有 Directory.AccessAsUser.All 权限的用户具有有效的 access_token ，则可以更新用户的

Once you have a valid access_token for the user with Directory.AccessAsUser.All permission, you can update the user's passwordProfile:

PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json

{
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "password-value"
  }
}

这篇关于使用Microsoft Graph重置用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！