使用 Graph API 更改 Azure AD B2C 用户密码 [英] Change Azure AD B2C User Password with Graph API

问题描述

我正在尝试使用

解决方案

查看

I'm trying to use the Sample Graph API app to change a user's password but I'm getting:

Error Calling the Graph API Response:

{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    }
  }
}

Graph API Request:

PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM

JSON File

{
    "passwordProfile": {
        "password": "Somepassword1$",
        "forceChangePasswordNextLogin": false
    }
}

I've tested updating the user's displayName and that works fine.

{
    "displayName": "Joe Consumer"
}

AD Application Permissions

I've configured my app permissions as described here.

解决方案

Check out this article. Seems like it has the same symptoms.

Solution 1:

If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.

• Go to Azure Management Portal and click Active Directory.
• Select your custom AD directory.
• Click Applications and select your Application.
• Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
• Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
• Finally save the changes.

Solution 2:

If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.

1. Find the service principal using Get-MsolServicePrincipal –AppPrincipalId

   Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
   

2. Use Add-MsolRoleMember to add it to Company Administrator role

   $clientIdApp = 'your-app-id'
   $webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp
   
   Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
   

To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.

这篇关于使用 Graph API 更改 Azure AD B2C 用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！