使用 Graph API 更改 Azure AD B2C 用户密码 [英] Change Azure AD B2C User Password with Graph API
问题描述
我正在尝试使用
查看
I'm trying to use the Sample Graph API app to change a user's password but I'm getting:
Error Calling the Graph API Response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
Graph API Request:
PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM
JSON File
{
"passwordProfile": {
"password": "Somepassword1$",
"forceChangePasswordNextLogin": false
}
}
I've tested updating the user's displayName
and that works fine.
{
"displayName": "Joe Consumer"
}
AD Application Permissions
I've configured my app permissions as described here.
Check out this article. Seems like it has the same symptoms.
Solution 1:
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
- Go to Azure Management Portal and click Active Directory.
- Select your custom AD directory.
- Click Applications and select your Application.
- Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
- Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
- Finally save the changes.
Solution 2:
If you are receiving this error when you call the API that includes delete
or reset password
operations, that is because those operations require the Admin role of Company Administrator
. As of now, you can only add this role via the Azure AD Powershell module.
Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
Use Add-MsolRoleMember to add it to
Company Administrator
role$clientIdApp = 'your-app-id' $webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.
这篇关于使用 Graph API 更改 Azure AD B2C 用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!