Blog Post

Azure Integration Services Blog
3 MIN READ

How to use azure logic app to update AAD user’s password automatically

jiecao's avatar
jiecao
Icon for Microsoft rankMicrosoft
Oct 19, 2023

Scenario

Azure logic app is an extraordinary cloud automation application. For updating Azure Active Directory user’s password in batches and automatically, azure logic app consumption or a logic app standard can invoke Azure Active Directory Graph API but it requires specific permissions.

 

References

passwordAuthenticationMethod: resetPassword - Microsoft Graph beta | Microsoft Learn

Sign in with resource owner password credentials grant - Microsoft Entra | Microsoft Learn

List passwordMethods - Microsoft Graph beta | Microsoft Learn

Update user - Microsoft Graph v1.0 | Microsoft Learn

 

Services Used

Azure Logic App (Consumption or Standard)

Azure Active Directory (AAD)

 

Solution 1

1.Create an AAD application registration

2.Add permission: UserAuthenticationMethod.ReadWrite.All




More details: 

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#permissions

 

3.Grant admin consent

 

 

 

4.Set up a logic app designer

Here we selected 'When a http request is received' as a trigger.

Action 1: HTTP – Get token

This action is used to get token. This token will be used in the following actions.


Method: POST

 

URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

 

Content-Type: application/x-www-form-urlencoded

 

Body:

client_id={MyClientID}

&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

&client_secret={MyClientSecret}

&grant_type=password

&username={MyUsername}%40{myTenant}.com

&password={MyPassword}

 

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

 

Action 2: HTTP – Get Pwd ID

This action is used to get Password Method ID.

 

Method: GET

 

URL: https://graph.microsoft.com/beta/me/authentication/passwordMethods

 

Content-type: application/json

 

Reference:

https://learn.microsoft.com/en-us/graph/api/authentication-list-passwordmethods?view=graph-rest-beta&tabs=http

 

 

Action 3: HTTP – Update Pwd

This action is used to update the password of a user.

Method: POST

 

URL: https://graph.microsoft.com/beta/users/{userObjectId | userPrincipalName}/authentication/passwordMethods/{passwordMethodId}/resetPassword

 

Content-type: application/json

 

Body:
{
"newPassword": "{myNewPassword}"
}

Reference:

https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#http-request

In URI, we can use this Expression to get the value of passwordMethodId:

body('HTTP_2_-_Get_Pwd_ID')['value'][0]['id']

 

 

Solution 2

1.Grant 4 permissions to application registration and grant admin consent

 

User.ManageIdentities.All

User.EnableDisableAccount.All

User.ReadWrite.All

Directory.ReadWrite.All

 

Reference:

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions 

 

 

2.Add role assignment ‘User Administrator’ to application registration

 

 

In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role.

 

Reference: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

 

 

3.Set up a logic app designer

Here we also selected 'When a http request is received' as a trigger.

 

Action 1: HTTP – Get token

This action is used to get token. This token will be used in the following actions.

 

Method: POST

URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token 

Content-type: application/x-www-form-urlencoded

 

Body:
client_id={MyClientID}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={MyClientSecret}
&grant_type=client_credentials

 

Action 2: HTTP – Update Pwd

This action is used to update the password of a user.

 

Method: PATCH

URL: https://graph.microsoft.com/v1.0/users/{userObjectId}

Content-type: application/json


Body:

{

  "passwordProfile": {

    "forceChangePasswordNextSignIn": false,

    "password": "{myNewPassword}"

  }

}


Reference:

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#example-3-update-the-passwordprofile-of-a-user-to-reset-their-password

 

 

Result

We can check user password update records on AAD audit logs on azure portal:

 

AAD page -> Users -> AAD audit logs

 

Updated Oct 18, 2023
Version 1.0
azure
logic apps
logic apps standard
  • PKlapwijk's avatar
    PKlapwijk
    MVP
    Oct 12, 2024

    Any idea if this is also possible with a Managed Identity as that is considered more secure and easier to maintain as it's doesn't need a clients secret.

  • Douglas_Henrique's avatar
    Douglas_Henrique
    Brass Contributor
    Oct 23, 2023

    MahfuzurRahman I think this is useful when a logic app connector does not support a service principal account as dataverse connector. But I do not know how to update the other side. 😞

  • MahfuzurRahman's avatar
    MahfuzurRahman
    Copper Contributor
    Oct 19, 2023

    In which scenerio we an use this? What is the business benefits? As I know user resetting their own password and sync auto.