In my app user could reset his password , i have tested that using my account , but my customer said got the Insufficient privileges to complete the operation error . I updated passwordProfile attribute :
{
"passwordProfile": {
"password":"" ,
"forceChangePasswordNextSignIn": false
}
}
The only difference is my account is admin account and customer's is not, does that the reason ?
I think you grant "Directory.AccessAsUser.All" delegated permission with microsoft graph so admin user could reset password , you could check the permission in access token by decode it using an online tool like this one . That delegated permission allows an admin user to reset another user's password , non- admin user can't rest his own password with Directory.AccessAsUser.All delegate permission .
please refer to answer from #Dan Kershaw for more details .
Related
I want access file in onedrive through console app. I follow this article:
https://learn.microsoft.com/en-us/learn/modules/msgraph-access-file-data/3-exercise-access-files-onedrive but i have a problem with Username login, i cant use my main email to login. Look pic below:
My email is 2 with full email is: closeheart777#live.com (which i cant use to login with). So i create the new user is number 3, i can use username: phong#closeheart777live.onmicrosoft.com to login. I think the problem is user principal name and username for my email is not actually email.
How i can use my main email to login?
Appreciate any comments.
#closeheart777live.onmicrosoft.com is actually your default domain name.Our general email address is: username + domain name,#closeheart777live.onmicrosoft.com will be added to your username by default when you create a user or invite guest users.
If you want to log in using closeheart777#live.com, obviously you need to use #live.com as your domain name. You can set #live.com as your domain name by custom domain name.
Hi I am trying to use owner password credential flow by giving username and password and it is giving below error. I am using the native application as the client Id.
UserPasswordCredential credentials = new UserPasswordCredential(_userName, _password);
AuthenticationContext authContext = new AuthenticationContext(_authority);
var accessToken = await authContext.AcquireTokenAsync(_apiResourceId, _clientId, credentials);
accessToken.AccessToken;
AdalServiceException: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx' named 'nativeclient'. Send an interactive authorization request for this user and resource
I have a scenario where I cannot use client credential flow. Is there anything I am missing as when I use the powershell client ID 1950a258-227b-4e31-a9cf-717495945fc2 it works. How can I consent this application on the context of user as I am not the tenant admin.
It depends on whether the permissions you have added require admin-consent.
You can see it on Azure portal:
If the permissions require admin-consent, you have to use an admin account to do the consent by clicking "Grant admin consent for {your tenant}" here:
If the permissions don't require admin-consent, you just need to use a non-admin account to do the consent by accessing https://login.microsoftonline.com/{your tenant}/oauth2/authorize?client_id={Client ID}&response_type=code&redirect_uri={Reply URL}&resource={Resource you want to access, for example: https://graph.microsoft.com/}&prompt=consent.
Besides, could you please provide more details the "scenario where I cannot use client credential flow"?
How can a user reset his password using Microsoft Graph client.
I am not able to find the right way to do it.
Thanks.
Tom is correct about this the Delegate Scope Directory.AccessAsUser.All allowing the signed-in user to change their password. The standard User.ReadWrite can update most properties, but it cannot update the user's password.
It is, however, a supported operation. The SDK includes the PasswordProfile class you need to pass into Graph. The syntax would look something like this:
await graphClient.Me.Request().UpdateAsync(new User() {
PasswordProfile = new PasswordProfile() {
Password = "newPassword",
ForceChangePasswordNextSignIn = true
}
});
How can a user reset his password using Microsoft Graph client
Unfortuntly, it seems that we can't reset password with Microsoft Graph client currently. According to the Microsoft graph update user API, we required to use the delegated permission type: Directory.AccessAsUser.All.
When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.
Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph.
We're working on a SAAS application that has recently been configured to use Azure ADAL for authentication. If it matters, we're going the oauth2 route, with response_type: code.
However, when we're testing the application, if the browser has been signed into an Azure account that does not belong to the tenant acting as identity provider, the prompt for password is bypassed, and the login fails on the Azure screen, saying AADSTS50020 - user not found in tenant.
On the one hand, congratulations to Azure for finding an already signed in user! On the other hand, there is no recourse to elect to not use this signed in user; it does not give the user the chance to interject with credentials that work.
How can we prevent this?
The core issue is we don't want users, visiting our site and ready to sign in, to have to have already signed out of Azure before trying to log in with our site.
Thanks in advance.
Please refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
You could find when requesting an authorization code during code flow , there is a Parameter :prompt indicates the type of user interaction that is required .
Valid values are:
login: The user should be prompted to reauthenticate.
select_account: The user is prompted to select an account, interrupting single sign on. The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.
consent: User consent has been granted, but needs to be updated. The user should be prompted to consent.
admin_consent: An administrator should be prompted to consent on behalf of all users in their organization
You could use prompt=login forces the user to enter their credentials on that request, negating single-sign on
Let me explain my issue.
I have a PHP application using an LDAP connection to an Active Directory server to authenticate. If i make it so that a user needs to change their password at the next login it won't allow me to authenticate them before i allow the password change. I can detect that the password change is required but if i allowed the user to change it then i have no way to work out that the user is valid or not, which means that the system could be hacked by just knowing the username of a user that's password as expired.
This to me seems daft... is there something im missing..
Currently I am
binding to the server
checking if the password as expired or not
checking the authentication users details
This is what I get returned if the users account is set to change password on next login, auth as failed but there is a password change request.
Is there a specific order the requests need to be sent so i can auth the user before the password change it sent?
Thanks in advance
By marking the account as Must change password at next login there is effectively no password to authenticate so this doesn't translate to the web.
A better option is to compare the users' pwdLastSet attribute against the domain policy and enforce the change in the application not in AD.