Reset a user's password without Directory.AccessAsUser.All permission in ADB2C using MS Graph API

Question

Previously, I was able to reset a user's password by using the following steps:

1. Get an access token with an administrator's credentials and setting the scope to Directory.AccessAsUser.All from https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token
2. Pass the new password in a passwordProfile object and hit the https://graph.microsoft.com/v1.0/users/{{oid}} using the access token retrieved from the first step.

But now, I cannot find Directory.AccessAsUser.All under Delegated API Permissions.

How can I change a user's password without it?

Answer 1

If your application or script needs to update users' passwords, you need to assign the User administrator role to your application. The User administrator role has a fixed set of permissions you grant to your application.

See Documentation

To add the User administrator role, follow these steps:

1. Sign in to the Azure portal and use the Directory + Subscription filter to switch to your Azure AD B2C tenant.

2. Search for and select Azure AD B2C.

3. Under Manage, select Roles and administrators.

4. Select the User administrator role.

5. Select Add assignments.

6. In the Select text box, enter the name or the ID of the application you registered earlier, for example, managementapp1. When it appears in the search results, select your application.

7. Select Add. It might take a few minutes to for the permissions to fully propagate.

Answer 2

When you create the application registration, choose the first option - accounts in this organisational directory. You won’t use this app for B2C user flows, only for your admin AAD account, hence you choose the first option.