0

The following is the request I'm using for the PATCH request for updating a user's password.

var token = TokenHelper.GetToken().AccessToken;
var client = new RestClient("https://graph.microsoft.com/v1.0/users/" + person.UserPrincipalName);
client.Timeout = -1;
var request = new RestRequest(Method.PATCH);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer " + token);
request.AddParameter("application/json", "{\n\"passwordProfile\": {\n \"password\": \"" + person.NewPassword + "\"\n}\n}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

If I type a complex password I get:

{
  "error": {
    "code": "Request_BadRequest",
    "message": "One or more properties contains invalid values.",
    "innerError": {
      "request-id": "5d97b465-7b27-4328-b0d9-4e9112f2257e",
      "date": "2020-01-03T16:57:35"
    }
  }
}

If I type a simple password I get:

{
  "error": {
    "code": "Request_BadRequest",
    "message": "The specified password does not comply with password complexity requirements. Please provide a different password.",
    "innerError": {
      "request-id": "986fd0da-90d4-45c7-ba74-1ba2bec61956",
      "date": "2020-01-03T17:05:15"
    }
  }
}

If I type no password my response is a 204 No Content (success) and it is working fine if I update other fields(i.e. mobileNumber).

Improve this question

1 Answer 1

Reset to default
1

In order to change a user's password, you need to authenticate using either the Authorization Code or Implicit OAuth grant. In addition, you need to request the delegated scope Directory.AccessAsUser.All. From the documentation:

When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.

You should also set forceChangePasswordNextSignIn to true.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Sorry, I should've included this: My app has delegated access to: Directory.AccessAsUser.All User.Read User.ReadWrite and application access to User.ReadWrite.All The TokenHelper creates the OAuth2 code through var client = new RestClient("https://login.microsoftonline.com/company/oauth2/v2.0/token");
That looks like Client Credentials, not Authorization Code. A token cannot have both Application and Delegated scopes. It is one or the other based on which OAuth grant you used.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.