I have created Users in Azure AD and with the help of Microsoft graph api trying to change the password of users but getting error message as admin rights required.
Help is appreciated
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "newPassword"
}
}
Try doing a patch and changed the attribute. This also worked for me in the past.
I'm not sure which api you are using , Azure AD Graph API or Microsoft Graph api . But no mater which api , the change password operation is used for the signed-in user to change their own password :
microsoft graph api :
POST https://graph.microsoft.com/v1.0/me/changePassword
Content-Type: application/json
{
"currentPassword": "Test1234!",
"newPassword": "Test5678!"
}
Azure AD Graph api :
POST https://graph.windows.net/me/changePassword?api-version=1.6
Content-Type: application/json
{
"currentPassword": "138122cC#",
"newPassword": "138122c#"
}
Please refer to document : https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/functions-and-actions#changePassword
Note: This action can only be called on the signed-in user. In addition to addressing the operation by using the me alias as shown below, you can use /users//changePassword or /users/userPrincipalName/changePassword, but if you use these addressing modes, the target user must be the signed-in user.
If target user isn't the signed-in user , it will throw error :Access to change password operation is denied.
the user who create the application, or user in the application, must assign as "user administrator" in role setting.
In order to change password you need to give your application the role of "Help Desk Administrator" which has to be done through windows powershell .
These are the sequence of commands to be typed in Windows Power shell to give your app the role of Help Desk administrator.
Install-Module MSOnline
Install-Module AzureAD
Connect-MsolService (after this you will be prompted to login , the user logged in should be a global administrator)
Connect-AzureAD (after this you will be prompted to login , the user logged in should be a global administrator)
$tenantID= "yourtenantid"
$appID = "your app id"
$myAp = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantID
$objectId = $myAp.ObjectId
Add-MsolRoleMember -RoleName "Helpdesk Administrator" -RoleMemberType ServicePrincipal
- RoleMemberObjectId $objectId
After doing all these steps then if you do
POST https://graph.microsoft.com/v1.0/me/changePassword
Content-Type: application/json
{
"currentPassword": "Test1234!",
"newPassword": "Test5678!"
}
then the password will be successfully updated !
Related
For a professional project, a chunk of the pipeline must be able to create an application (the first App registration, so I only have a global Admin) automatically within Azure AD. So far I used AzureAD which works well with Powershell 5.6 on Windows.
I now must be able to run the code with Ubuntu 20.04 and its Powershell 7.2. Unfortunately for me, AzureAD module is only supported on non-core Windows PowerShell, therefore it does not work on core PS6 or PS7. A very simplified piece of code is the following:
# Connection infos
$tenantId = "abcdef12345-1234-1234-124-abcdef12346789"
$account = "my_admin#domain.com" # Is cloud Admin by default
$password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($account, $password)
Connect-AzureAD -Credential $psCred -Tenant $tenantId
# Create app
$appName = "MyApp"
New-App -appName $appName -tenant_id $tenantId
I am stuck and my question is the following: how could I run such an operation with Powershell 7.2 considering AzureAD is not usable? I did check Connect-MgGraph for the connection part only (https://github.com/microsoftgraph/msgraph-sdk-powershell) but the clientId is an infos that I don't have -and want to create-.
Thanks in advance
You can use DeviceLogin as explained in this article to obtain an oAuth access token for you Global Administrator account in PowerShell (independent of the version) but this first step needs a human interaction.
After obtaining the token, you can use it to make Graph API calls with your Global Administrator permissions to create an application.
Once you create your first application, you must attribute required permissions and use it to automate the process (obtain token programmatically using API calls) for application creation in PowerShell.
You could use Resource Owner Password Credentials (ROPC) to authenticate, however Microsoft actively discourages it in their documentation due to the security implications of sending a password over the wire.
If the security issues present with this method of authentication are still tolerated within your acceptance criteria, you would still need a ClientID. Luckily, AzureAD has a well-known ClientID that you can use to authenticate. This ID is 1950a258-227b-4e31-a9cf-717495945fc2
The below Powershell code should get you started. I've basically translated the HTTP request within Microsoft's documentation into a splatted Invoke-RestMethod command.
$LoginWithROPCParameters = #{
URI = "https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token"
Method = "POST"
Body = #{
client_id = "1950a258-227b-4e31-a9cf-717495945fc2"
scope = "user.read openid profile offline_access"
username = "username#contoso.onmicrosoft.com"
password = "hunter2"
grant_type = "password"
}
}
Invoke-RestMethod #LoginWithROPCParameters
I'm trying to set a custom signing key for an Azure AD Application Registration. However, I get a confusing error message and cannot complete the request.
I tried to set the credential using multiple strategies:
PowerShell New-AzureADApplicationKeyCredential command
Microsoft Graph API
Manipulating the Application Registrations Manifest directly in Azure Portal
Microsoft Graph returns a simple "Bad Request", whereas PowerShell and Azure Portal are more specific in their responses:
"The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify."
The interesting thing about this error is that I am specifying the usage as "Sign".
PowerShell code snippet:
$appObjectID = $appRegistration.ObjectId
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import("<path-to-certificate>")
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)
New-AzureADApplicationKeyCredential `
-ObjectId $appObjectID `
-CustomKeyIdentifier $base64Thumbprint `
-Type AsymmetricX509Cert `
-Usage Sign `
-Value $base64Value `
-StartDate $cer.GetEffectiveDateString() `
-EndDate $cer.NotAfter.ToString()
Error message:
Code: Request_BadRequest
Message: The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify.
RequestId: <id>
DateTimeStamp: <timestamp>
Details: PropertyName - keyCredentials.keyId, PropertyErrorCode - InvalidKeyUsage
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed`
This is based on the documentation: MS Docs: New-AzureADApplicationKeyCredential. However, I think there is a mistake in this documentation, since they use a randomly generated GUID as input for the parameter ObjectID, which should be the ObjectID of the Application Registration I want to add the new key credential to. So I replaced this keyId with the ObjectId of my Application Registration. (If I directly use the code from MS Docs, I get a "Request_ResourceNotFound" error because the command can't find the Application Registration with this random GUID in Azure AD.)
Things I have tried:
Change -Usage Sign to -Usage "Sign"
Adding a "Verify" credential to the App (works as expected) with this command
When I try to directly modify the Manifest in Azure Portal, I basically get the same error message:
Failed to update <app-name> application. Error detail: The value for the property "usage" in one of your credentials is invalid. Acceptable values are Sign, Verify.
Screenshot from error in Azure Portal
Is there maybe a issue that some parameters cannot be used this way when setting a "Sign" credential?
Thanks in advance for any help and regards!
Thanks to Ash (see his comment to my initial question) I found the solution in this article. I followed the tutorial and could set the "Sign" Key Credential using Graph API after also including a "Verify" Key Credential and a corresponding Password Credential into the request body.
Running the following Powershell command
$tokenresponse = Get-MsalToken -ClientId $clientID -TenantId $tenantID -Interactive -RedirectUri "http://localhost"
gives me the error:
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
All solutions I found are pointing to the direction, that in the Azure Protal I should enable "Allow public client flows" but this setting is enabled. Any idea how I can get the token (I would need to get a token for delegated permissions)
I know this is an old question, but my answer below might help someone in the future. I ran into this same problem today and the way to fix it was by correcting the configuration on the App Registration. The solution was quite simple. I just had to set up Authentication to the right platform: "Mobile and desktop applications". Instead of Web or SPA.
To test it, get your tenant id and application (client) id, and pass it to the Get-MsalToken commandlet like below. The login page should pop-up, including any MFA dialogs (if MFA is configured).
$tenant_id = "00000000-0000-0000-0000-0000000000000"
$client_id = "00000000-0000-0000-0000-0000000000000"
$authParams = #{
ClientId = $client_id
TenantId = $tenant_id
Interactive = $true
}
$auth = Get-MsalToken #authParams
$auth
This script creates a guest user invitation, but errors when trying to add that newly created user to a SharePoint Online site with the following error:
Add-SPOUser : The specified user janedoe#email.com could not be found.
$tenant = "companyname"
Connect-SPOService -url "https://$tenant-admin.sharepoint.com"
Connect-AzureAD -TenantDomain "$tenant.onmicrosoft.com"
New-AzureADMSInvitation -InvitedUserDisplayName "Jane Doe" -InvitedUserEmailAddress "janedoe#email.com" -InviteRedirectURL "https://$tenant.sharepoint.com/sites/client1" -SendInvitationMessage $true
Start-Sleep -s 60
Add-SPOUser -Group "Client Site 1 Visitors" –LoginName "janedoe#email.com" -Site "https://$tenant.sharepoint.com/sites/client1"
Disconnect-SPOService
Disconnect-AzureAD
How long does it take for Azure AD to populate that user into Office 365?
When trying to add the external user email (outside tenancy) to a SP group via the GUI, tabbing away shows the following error:
"Your organization's policies don't allow you to share with these users. Go to External Sharing in the Office 365 admin center to enable it."
To fix this and the PS script error, after the creation of your extranet SP site run the following PS command after connecting to SPO (only need to run ONCE before adding an external user to a site):
Set-SPOSite -identity https://companyname.sharepoint.com/sites/client1 -sharingcapability ExternalUserAndGuestSharing
Now the PS script will work without error. Start-Sleep is not necessary.
I followed the Microsoft doc to get the billing profile of a customer.
With the auth tutorial with the Powershell Code
$credential = Get-Credential
Connect-PartnerCenter -Credential $credential -ServicePrincipal -TenantId '<TenantId>'
Copied the access token and produced a Postman Get request but still got an 401 unauthorized request
It could be from the security update of Microsoft , but the Auth documentation is from january so i think These are the steps to get access to the parner central
https://www.microsoftpartnercommunity.com/t5/UK-Partner-Zone-Discussions/FY19-CSP-program-new-mandatory-security-requirements/td-p/6981
Or I don't have the right permissions as a user to get the billing profile.
I know it's one step that I oversee or that it's one thing that I did wrong but I can't see it
I am aware that there are some questions on stackoverflow about this issue. But Can't seem to find a solution there
Tried to get the access token with this Powershell code:
$appId = 'xxxxxxxxxxxxxxxxxxxxx'
$appSecret = 'xxxxxxxxxxxxxxxx' | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $appId, $appSecret
$token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -ServicePrincipal
New-PartnerAccessToken -RefreshToken $token.RefreshToken -Resource https://api.partnercenter.microsoft.com -Credential $credential -ServicePrincipal
Source and probably more explanation to this you can find here: docs
If the link becomes invalid search for Partner Consent process for the Partner Center
Hope this one helps you out, this was what worked for me. Struggled a lot to find this out also.
Also make sure in your Azure AD app you select access token in the Authentication Setting beneath Implicit grant. And to select , urn:ietf:wg:oauth:2.0:oob beneath the suggested redirect URL's
which token you tried to access the Partner center api. First you have to generate the token by registering app with Partner center.
You have to use client/application id, tenant id/domain name, client secret.
Use that token to access the partner center api.