I have been able to create Azure Functions App to manage Azure B2C Users. I can create new users, and update profiles flawlessly using the client_credentials Flow. However, when I change the password using a PATCH request with body:
{
passwordProfile: {
password: 'password-value',
forceChangePasswordNextSignIn: false
},
passwordPolicies: "DisablePasswordExpiration"
}
I get this error:
{code: 'Authorization_RequestDenied', message: 'Insufficient privileges to complete the operation.'}
I have done some research on this, and figured out that updating password requires Delegated Permission "Directory.AccessAsUser.All". From the Front End Application, I am signing in using the B2CLogin Flow, therefore the access token is not compatible with Graph API. Also, "Directory.AccessAsUser.All" does not exist at the Application level in the B2C application. Therefore, I cant use the Patch Request with the client_credentials Flow as well. According to some suggestions, the process can be done by Azure AD PowerShell by assigning "Company Administrator" Role. But, I have not found a solution to reset password through the Azure Function. A step-by-step solution(if it exists) would be really helpful for me as I am relatively new to Azure Services.
The easiest way is to assign the Global Admin role to the service principal on Azure portal.
Go to Azure Portal - Azure Active Directory - Roles and administrators.
Search for "Global admin" and select it.
Click on +Add assignments. And then search for your service principal.
Please note that "Applications are allowed for active assignments only.".
So after clicking on "Next>", select "Active" for the Assignment type.
After the assignment is finished, you are able to update the password using client_credentials flow.
Add-AzureADDirectoryRoleMember which is mentioned by @Jas Suri can also do the same thing.