无法重置没有特定角色的登录用户的密码 [英] can't reset password of signed in user without specific role

问题描述

我有一个在 Azure Functions 中运行的 C# 应用程序，我需要使用用户名\密码凭据更改特定用户的密码.

我的应用程序使用 MSAL 进行身份验证 (

---

GraphServiceClient graphClient = new GraphServiceClient( authProvider );var currentPassword = "{currentPassword}";var newPassword = "{newPassword}";等待 graphClient.Me.ChangePassword(当前密码，新密码).要求().PostAsync();

I have a C# application running in Azure Functions, I need to change password of a specific user using username\password credentials.

My app using MSAL for authentication (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)

and in order to obtain the ability to authenticate with username\password flow this option is used: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Username-Password-Authentication.

I'm using Graph API for changing the password of the user (https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http)

I do manage to reset password that way only if I grant the user one of those built-in assign-roles:

Password Admin, Helpdesk Admin, Authentication Admin, User Admin, Privileged Authentication Admin, Global Admin

but if I don't give the user one those roles it get the following error message when trying to update the user using PATCH request https://graph.microsoft.com/v1.0/users/########-####-####-####-########

Message: { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2021-04-07T12:56:56", "request-id": "########-#####-#####-#####-#####", "client-request-id": "########-####-####-####-########" } } }

My problem is that I don't want to give those permission to any user just to change its own password since those roles are too strong.

It doesn't make sense to me that a user can't change its own password with that flow, since with PowerShell it is possible for example with Update-AzureADSignedInUserPassword and no special roles needed for the user. Why the role does effect it when I try to do the same operation with my flow. any ideas how to overcome this problem, what I'm doing wrong or is that even possible in that flow?

Thanks ahead

解决方案

Trying to use the changePassword endpoint should meet your requirements. You do not need to grant users any administrator roles.

POST https://graph.microsoft.com/v1.0/me/changePassword
Content-Type: application/json
{
  "currentPassword": "Test1234!",
  "newPassword": "Test5678!"
}

---

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var currentPassword = "{currentPassword}";

var newPassword = "{newPassword}";

await graphClient.Me
    .ChangePassword(currentPassword,newPassword)
    .Request()
    .PostAsync();

这篇关于无法重置没有特定角色的登录用户的密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！