B2C Graph API - insufficient permissions even when

2019-08-26 21:40发布

问题:

Running out of things to try, can anyone please help?

Trying to run 'change password' via Postman

I get token using app id and secret

I can read data from the user profile no problem

I grant permissions to Graph API in Azure portal

I generate the token again, review it in jwt.io, sample

"Device.ReadWrite.All",
"Member.Read.Hidden",
"Directory.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"

],

I send

"password": "Test123456",
"forceChangePasswordNextLogin": false

to https://graph.windows.net/[tenant]/users/[user]api-version=1.6

I still get a fail with the following

    "code": "Authorization_RequestDenied",
    "message": {
        "lang": "en",
        "value": "Insufficient privileges to complete the operation."
    }

回答1:

The change password permission isn't enabled in the same manner as the other permissions on the AD Graph API.

You need to set up a tenant admin local to the B2C tenant and then run the powershell commands as detailed here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.