J
jiecao
Scenario
Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.
References
passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn
Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn
List passwordMethods - Microsoft Graph beta | Microsoft Learn
Update user - Microsoft Graph v1.0 | Microsoft Learn
Services Used
Azure Logic App (Consumption or Standard)
Azure Active Directory (AAD)
Solution 1
1.Create an AAD application registration
2.Add permission: UserAuthenticationMethod.ReadWrite.All
More details:
3.Grant admin consent
4.Set up a logic app designer
Here we selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: Sign in to your account{tenantID}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=password
&username={MyUsername}%40{myTenant}.com
&password={MyPassword}
Reference:
Action 2: HTTP – Get Pwd ID
This action is used to get Password Method ID.
Method: GET
URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods
Content-type: application/json
Reference:
Action 3: HTTP – Update Pwd
This action is used to update the password of a user.
Method: POST
URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword
Content-type: application/json
Body:
{
"newPassword": "{myNewPassword}"
}
Reference:
In URI, we can use this Expression to get the value of passwordMethodId:
body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']
Solution 2
1.Grant 4 permissions to application registration and grant admin consent
User.ManageIdentities.All
User.EnableDisableAccount.All
User.ReadWrite.All
Directory.ReadWrite.All
Reference:
Update user - Microsoft Graph v1.0
2.Add role assignment ‘User Administrator’ to application registration
In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.
Reference: Update user - Microsoft Graph v1.0
3.Set up a logic app designer
Here we also selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: Sign in to your account{tenantID}/oauth2/v2.0/token
Content-type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=client_credentials
Action 2: HTTP – Update Pwd
This action is used to update the password of a user.
Method: PATCH
URL: https://graph.microsoft.com/v1.0/users/{userObjectId}
Content-type: application/json
Body:
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "{myNewPassword}"
}
}
Reference:
Result
We can check user password update records on AAD audit logs on azure portal:
AAD page -> Users -> AAD audit logs
Continue reading...
Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.
References
passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn
Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn
List passwordMethods - Microsoft Graph beta | Microsoft Learn
Update user - Microsoft Graph v1.0 | Microsoft Learn
Services Used
Azure Logic App (Consumption or Standard)
Azure Active Directory (AAD)
Solution 1
1.Create an AAD application registration
2.Add permission: UserAuthenticationMethod.ReadWrite.All
More details:
Loading…
learn.microsoft.com
3.Grant admin consent
4.Set up a logic app designer
Here we selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: Sign in to your account{tenantID}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=password
&username={MyUsername}%40{myTenant}.com
&password={MyPassword}
Reference:
Loading…
learn.microsoft.com
Action 2: HTTP – Get Pwd ID
This action is used to get Password Method ID.
Method: GET
URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods
Content-type: application/json
Reference:
Loading…
learn.microsoft.com
Action 3: HTTP – Update Pwd
This action is used to update the password of a user.
Method: POST
URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword
Content-type: application/json
Body:
{
"newPassword": "{myNewPassword}"
}
Reference:
Loading…
learn.microsoft.com
In URI, we can use this Expression to get the value of passwordMethodId:
body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']
Solution 2
1.Grant 4 permissions to application registration and grant admin consent
User.ManageIdentities.All
User.EnableDisableAccount.All
User.ReadWrite.All
Directory.ReadWrite.All
Reference:
Update user - Microsoft Graph v1.0
2.Add role assignment ‘User Administrator’ to application registration
In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.
Reference: Update user - Microsoft Graph v1.0
3.Set up a logic app designer
Here we also selected 'When a http request is received' as a trigger.
Action 1: HTTP – Get token
This action is used to get token. This token will be used in the following actions.
Method: POST
URL: Sign in to your account{tenantID}/oauth2/v2.0/token
Content-type: application/x-www-form-urlencoded
Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=client_credentials
Action 2: HTTP – Update Pwd
This action is used to update the password of a user.
Method: PATCH
URL: https://graph.microsoft.com/v1.0/users/{userObjectId}
Content-type: application/json
Body:
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "{myNewPassword}"
}
}
Reference:
Loading…
learn.microsoft.com
Result
We can check user password update records on AAD audit logs on azure portal:
AAD page -> Users -> AAD audit logs
Continue reading...