azure-ad-b2cchange-passwordclientcredential

Change Password Azure AD B2C


I have been able to create Azure Functions App to manage Azure B2C Users. I can create new users, and update profiles flawlessly using the client_credentials Flow. However, when I change the password using a PATCH request with body:

{
  passwordProfile: {
     password: 'password-value',
     forceChangePasswordNextSignIn: false
     },
  passwordPolicies: "DisablePasswordExpiration"
}

I get this error:

 {code: 'Authorization_RequestDenied', message: 'Insufficient privileges to complete the operation.'}

I have done some research on this, and figured out that updating password requires Delegated Permission "Directory.AccessAsUser.All". From the Front End Application, I am signing in using the B2CLogin Flow, therefore the access token is not compatible with Graph API. Also, "Directory.AccessAsUser.All" does not exist at the Application level in the B2C application. Therefore, I cant use the Patch Request with the client_credentials Flow as well. According to some suggestions, the process can be done by Azure AD PowerShell by assigning "Company Administrator" Role. But, I have not found a solution to reset password through the Azure Function. A step-by-step solution(if it exists) would be really helpful for me as I am relatively new to Azure Services.


Solution

  • The easiest way is to assign the Global Admin role to the service principal on Azure portal.

    Go to Azure Portal - Azure Active Directory - Roles and administrators.

    Search for "Global admin" and select it.

    enter image description here

    Click on +Add assignments. And then search for your service principal.

    enter image description here

    Please note that "Applications are allowed for active assignments only.".

    So after clicking on "Next>", select "Active" for the Assignment type.

    enter image description here

    After the assignment is finished, you are able to update the password using client_credentials flow.

    Add-AzureADDirectoryRoleMember which is mentioned by @Jas Suri can also do the same thing.