Jump to content

How to use azure logic app to update AAD user’s password automatically

Guest jiecao
Guest jiecao
in Microsoft Support & Discussions

Featured Replies

Posted

Scenario

 

 

Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.

 

 

 

References

 

 

passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn

 

Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn

 

List passwordMethods - Microsoft Graph beta | Microsoft Learn

 

Update user - Microsoft Graph v1.0 | Microsoft Learn

 

 

 

Services Used

 

 

Azure Logic App (Consumption or Standard)

 

Azure Active Directory (AAD)

 

 

 

Solution 1

 

 

1.Create an AAD application registration

 

2.Add permission: UserAuthenticationMethod.ReadWrite.All

 

 

[ATTACH=full]54092[/ATTACH]

 

 

More details:

 

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#permissions

 

 

 

3.Grant admin consent

 

 

 

[ATTACH=full]54093[/ATTACH]

 

 

 

[ATTACH=full]54094[/ATTACH]

 

 

 

4.Set up a logic app designer

 

Here we selected 'When a http request is received' as a trigger.

 

Action 1: HTTP – Get token

 

This action is used to get token. This token will be used in the following actions.

 

 

Method: POST

 

 

 

URL: Sign in to your account{tenantID}/oauth2/v2.0/token

 

 

 

Content-Type: application/x-www-form-urlencoded

 

 

 

Body:

 

client_id={MyClientID}

 

&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

 

&client_secret={MyClientSecret}

 

&grant_type=password

 

&username={MyUsername}%40{myTenant}.com

 

&password={MyPassword}

 

 

 

Reference:

 

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

 

 

[ATTACH=full]54095[/ATTACH]

 

 

 

Action 2: HTTP – Get Pwd ID

 

This action is used to get Password Method ID.

 

 

 

Method: GET

 

 

 

URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods

 

 

 

Content-type: application/json

 

 

 

Reference:

 

https://learn.microsoft.com/en-us/graph/api/authentication-list-passwordmethods?view=graph-rest-beta&tabs=http

 

 

 

[ATTACH=full]54096[/ATTACH]

 

 

 

Action 3: HTTP – Update Pwd

 

This action is used to update the password of a user.

 

Method: POST

 

 

 

URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword

 

 

 

Content-type: application/json

 

 

 

Body:

{

"newPassword": "{myNewPassword}"

}

 

Reference:

 

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#http-request

 

 

In URI, we can use this Expression to get the value of passwordMethodId:

 

body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']

 

 

 

[ATTACH=full]54097[/ATTACH]

 

 

 

Solution 2

 

 

1.Grant 4 permissions to application registration and grant admin consent

 

 

 

User.ManageIdentities.All

 

User.EnableDisableAccount.All

 

User.ReadWrite.All

 

Directory.ReadWrite.All

 

 

 

Reference:

 

Update user - Microsoft Graph v1.0

 

 

 

[ATTACH=full]54098[/ATTACH]

 

 

 

2.Add role assignment ‘User Administrator’ to application registration

 

 

 

[ATTACH=full]54099[/ATTACH]

 

 

 

In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.

 

 

 

Reference: Update user - Microsoft Graph v1.0

 

 

 

[ATTACH=full]54100[/ATTACH]

 

 

 

3.Set up a logic app designer

 

Here we also selected 'When a http request is received' as a trigger.

 

 

 

Action 1: HTTP – Get token

 

This action is used to get token. This token will be used in the following actions.

 

 

 

Method: POST

 

URL: Sign in to your account{tenantID}/oauth2/v2.0/token

 

Content-type: application/x-www-form-urlencoded

 

 

 

Body:

client_id={MyClientID}

&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

&client_secret={MyClientSecret}

&grant_type=client_credentials

 

 

[ATTACH=full]54101[/ATTACH]

 

 

 

Action 2: HTTP – Update Pwd

 

This action is used to update the password of a user.

 

 

 

Method: PATCH

 

URL: https://graph.microsoft.com/v1.0/users/{userObjectId}

 

Content-type: application/json

 

 

Body:

 

{

 

"passwordProfile": {

 

"forceChangePasswordNextSignIn": false,

 

"password": "{myNewPassword}"

 

}

 

}

 

 

Reference:

 

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#example-3-update-the-passwordprofile-of-a-user-to-reset-their-password

 

 

 

[ATTACH=full]54102[/ATTACH]

 

 

 

Result

 

 

We can check user password update records on AAD audit logs on azure portal:

 

 

 

AAD page -> Users -> AAD audit logs

 

 

 

[ATTACH=full]54103[/ATTACH]

 

Continue reading...

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing