使用Microsoft Graph重置用户密码

时间:2018-04-16 06:50:29

标签: c# azure-active-directory microsoft-graph

我正在尝试编写一个用户可以用来重置自己的Azure AD密码的Web门户。由于我的客户端的要求, Azure AD SSPR不是一个选项

要实现这一点,请使用Microsoft Graph。根据{{​​3}},如果您拥有User.ReadWrite.AllDirectory.AccessAsUser.All权限,则可以使用Microsoft Graph重置用户密码。

然后是the documentation,它说明即使您拥有Directory.ReadWrite.All权限,也无法重置用户密码。

我已经做了一项测试,看看这是否有效,但我收到HTTP 403 Forbidden回复。

我使用的代码是:

string ResourceUrl = "https://graph.windows.net/";
string AuthorityUrl = "https://login.microsoftonline.com/companyxxx.onmicrosoft.com/oauth2/authorize/";

//Create a user password cradentials.
var credential = new Microsoft.IdentityModel
    .Clients
    .ActiveDirectory
    .UserPasswordCredential("username@xxxx.com", "passwordxxx");

// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);

var authenticationResult = authenticationContext
    .AcquireTokenAsync(ResourceUrl, "xxxxxxxx-3017-4833-9923-30d05726b32f", credential)
    .Result;

string jwtToken = authenticationResult.AccessToken;
var cred = new Microsoft.Rest
    .TokenCredentials(authenticationResult.AccessToken, "Bearer");

HttpClient client = new HttpClient();
var queryString = HttpUtility.ParseQueryString(string.Empty);
queryString["api-version"] = "1.6";
client.DefaultRequestHeaders
    .Accept
    .Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);

var uri = "https://graph.windows.net/xxxxxxxx-18fe-xxxx-bb90-d62195600495/users/xxxxxxxx-aa58-4329-xxxx-b39af07325ee?" + queryString;

//var content = new StringContent("{\"passwordProfile\": {\"password\": \"Test123456\", \"forceChangePasswordNextLogin\": true }}");
var response = client.PatchAsync(new Uri(uri), content, jwtToken);

PatchAsync方法是一种扩展方法,如下所示:

public static class HttpClientExtensions
{
    public static async Task<HttpResponseMessage> PatchAsync(this HttpClient client,
        Uri requestUri, HttpContent iContent, string jwtToken)
    {
        var method = new HttpMethod("PATCH");
        var request = new HttpRequestMessage(method, requestUri)
        {
            Content = iContent,
        };
        request.Content.Headers.ContentType =
            new MediaTypeHeaderValue("application/json");

        request.Headers.Authorization =
            new AuthenticationHeaderValue("Bearer", jwtToken);

        HttpResponseMessage response = new HttpResponseMessage();
        try
        {
            response = await client.SendAsync(request);
        }
        catch (TaskCanceledException e)
        {
            Console.WriteLine("ERROR: " + e.ToString());
        }

        return response;
    }
}

有人可以使用凭据授权流程以及用于身份验证的用户名和密码来澄清这是否可行。如果是这样我怎么做到这一点?

1 个答案:

答案 0 :(得分:2)

您正在混合使用Microsoft Graph和Azure AD Graph API。这是两个不同的API,对一个API的调用与另一个不可互换。

您是正确的,因为您需要使用Directory.AccessAsUser.All范围进行此活动。此范围允许API对登录用户可以自己执行的AAD执行任何操作(即更改自己的密码)。

拥有access_token权限的用户拥有有效Directory.AccessAsUser.All后,您可以更新用户passwordProfile

PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json

{
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "password-value"
  }
}
相关问题
最新问题