locked
Microsoft Graph API, reset user password RRS feed

  • Question

  • Hi, im trying out Microsoft Graph and it all works great.

    I have a script with 'grant_type' = 'client_credentials' to get a token and i can update user surname, office and so on, i have some problem with the scope 'Directory.AccessAsUser.All' i need to reset user password. (using /token endpoint)

    It works when i do it thru /authorize endpoint in the browser but i would like to have this thru powershell to begin with and eventually .NET as im doing a test where im trying to get a bot to reset a userpassword (Create task automation bots, password reset)

    Is there any example because i cant find any except where i get a signin window to get the CODE needed to request a token that gets the Directory.AccessAsUser.All scope.

    I am currently getting 403 Forbidden with the script below, but if i do it manually and sign in against /authorize and get a token from the code im getting after redirect_uri i can reset the password

    Any help is appreciated

    Thursday, May 31, 2018 9:03 AM

Answers

  • I figured it out, used this and the code above works

    $servicePrincipal = Get-MsolServicePrincipal -ServicePrincipalName ServicePrincipalName
    $roleId = (Get-MsolRole -RoleName "Company Administrator").ObjectId
    Add-MsolRoleMember -RoleObjectId $roleId -RoleMemberObjectId $servicePrincipal.ObjectId -RoleMemberType servicePrincipal


    Thursday, May 31, 2018 9:19 AM

All replies

  • I am using this code

    $tennantid        = ''         
    $SubscriptionId   = ''         
    $ApplicationID    = ''         
    $ApplicationKey   = ''
    $TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid 
    $ARMResource = "https://graph.microsoft.com";
    
    $Body = @{
            'resource'= $ARMResource
            'client_id' = $ApplicationID
            'grant_type' = 'client_credentials'
            'client_secret' = $ApplicationKey
            'scope' = 'https%3A%2F%2Fgraph.microsoft.com%2FDirectory.AccessAsUser.All'
    }
    
    $params = @{
        ContentType = 'application/x-www-form-urlencoded'
        Headers = @{'accept'='application/json'}
        Body = $Body
        Method = 'Post'
        URI = $TokenEndpoint
    }
    
    $token = Invoke-RestMethod @params
    
    $headers = @{}
    $headers.Add("authorization","Bearer $($Token.access_token)")
    $ResetPwd = @{
        "passwordProfile" = @{
            "forceChangePasswordNextSignIn" = "false"
            "password" = "Test123456!"
        }
    } | ConvertTo-Json
    Invoke-RestMethod -Headers $headers -Method Patch -Uri "https://graph.microsoft.com/beta/users/$($respons.id)" -ContentType "application/json" -Body $ResetPwd

    Thursday, May 31, 2018 9:06 AM
  • I figured it out, used this and the code above works

    $servicePrincipal = Get-MsolServicePrincipal -ServicePrincipalName ServicePrincipalName
    $roleId = (Get-MsolRole -RoleName "Company Administrator").ObjectId
    Add-MsolRoleMember -RoleObjectId $roleId -RoleMemberObjectId $servicePrincipal.ObjectId -RoleMemberType servicePrincipal


    Thursday, May 31, 2018 9:19 AM
  • @Andreasandersson, glad to know that you got it working. Thanks for sharing the solution on the forum. This would be a great help to other community members.

    Thursday, May 31, 2018 9:25 AM
  • I am using this code

    Invoke-RestMethod -Headers $headers -Method Patch -Uri "https://graph.microsoft.com/beta/users/$($respons.id)" -ContentType "application/json" -Body $ResetPwd

    Hi - I would love to use this code - but  I can't see where the '$respons" variable is set; have you left out an API call?
    Thursday, December 12, 2019 11:12 PM