Reset-MgUserAuthenticationMethodPassword called from Azure Automation using User Defined Managed Identity unauthorized error

[jpsebasti]

I have a User Defined Managed Identity in Azure. I have granted this Managed Identity the following MS Graph "Domain.Read.All","Directory.readwrite.all","User.readwrite.all","User.EnableDisableAccount.All","Group.ReadWrite.All","GroupMember.ReadWrite.All","AccessReview.ReadWrite.Membership","UserAuthenticationMethod.ReadWrite.All"

According to the powershell command:
find-mggraphcommand -command Reset-MfUserAuthenticationMethodPassword

The required permissions for using this cmdlet are: "UserAuthenticationMethod.ReadWrite.All" As shown earlier this permission has been granted to my Managed Identity.

In my Azure Automation Powershell 7.2 environment, I have all of the required Powershell Microsoft Graph modules loaded.

My code generates a random password into the $p variable. Here is the rest of my code:

$method = Get-MgUserAuthenticationPasswordMethod -UserId $user.Id try { write-output "" write-output " Resetting password for account $($user.DisplayName) to $p" Reset-MgUserAuthenticationMethodPassword -UserId $user.id -AuthenticationMethodId $method.id -NewPassword "$p" } catch { $_.Exception write-output " ERROR - Encountered an error attempting to change the password for $($user.Displayname)" }

When I execute the code in Azure Automation, here is the error that is generated:

Reset-MgUserAuthenticationMethodPassword_ResetExpanded1: Line | 182 | Reset-MgUserAuthenticationMethodPassword -UserId $user.id -Authen … | ~~~~~~~~~~~~~ | The user is not authorized to access this resource.

I'm not sure what other privileges I need

[mmushatt]

From my understanding, v2.0 of the Microsoft Graph PowerShell SDK supports Managed Identity. I am checking with the Developers to ensure that this is indeed the fact.

[peombwa]

Thanks for following up on this.

According to the API reference, resetting a user's password is only support when using Delegated (work or school account) permissions. Calling the resetPassword API using a service principal/managed identity (application permission type) is currently not supported. Please note that managed identities are special type service principals that can only be used with Azure resources.

If you would like to see this scenario supported by the API, please consider upvoting or opening a service feature request at https://developer.microsoft.com/en-us/graph/support.

[jpsebasti]

Thanks for answering Peombwa. What you are telling me is that Azure AD Powershell module is being deprecated and Microsoft Graph modules that I am being forced to use because of the deprecation are not 100% functionally equivalent. This is VERY poor software engineering. Using the Azure AD modules I can accomplish offboarding a user from my environment programatically. One of the steps in that process is resetting the password for the account to a random string of characters (in addition to deactivating the account). Apparently with the Graph SDK this last step is not programatically possible.

[peombwa]

I understand the blocking nature of this for your scenario. resetpassword API does not supported applications permissions as stated at https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-1.0&tabs=http#permissions. This is something we, an SDK, cannot change.

Permissions required to access a resource are defined at the API level, not the SDK (this repository). As mentioned earlier, I recommend contacting the API owner directly at https://developer.microsoft.com/en-us/graph/support by opening a feature request/question to have support for this scenario reviewed. The API/area owner should be able to guide you on the next steps since you are migrating from AzureAD to Microsoft Graph.

This repository is only for Microsoft Graph PowerShell SDK issues and feedback. For API and migration queries, please use https://developer.microsoft.com/en-us/graph/support.

[jpsebasti]

So who is the API owner? This means something inside of Microsoft but I have no idea who to contact.

---

From: Peter Ombwa @.> Sent: Monday, June 12, 2023 5:40 PM To: microsoftgraph/msgraph-sdk-powershell @.> Cc: @. @.>; Author @.***> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] Reset-MgUserAuthenticationMethodPassword called from Azure Automation using User Defined Managed Identity unauthorized error (Issue #2058)

I understand the blocking nature of this for your scenario. resetpassword API does not supported applications permissions as stated at https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-1.0&tabs=http#permissions. This is something we, an SDK, cannot change.

Permissions required to access a resource are defined at the API level, not the SDK (this repository). As mentioned earlier, I recommend contacting the API owner directly at https://developer.microsoft.com/en-us/graph/support by opening a feature request/question to have support for this scenario reviewed. The API/area owner should be able to guide you on the next steps since you are migrating from AzureAD to Microsoft Graph.

This repository is only for Microsoft Graph PowerShell SDK issues and feedback. For API and migration queries, please use https://developer.microsoft.com/en-us/graph/support.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2058#issuecomment-1588252433, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIN43OWJTUJNOUTP3QM3DRTXK6SG5ANCNFSM6AAAAAAYXOC5BI. You are receiving this because you authored the thread.Message ID: @.***>

[peombwa]

You can specify Identity and Access Management as the category of your feature request:

The API owner will then triage and review the feature request. I'll also internally notify the PM in charge of Azure AD migration of this scenario. Unfortunately, not all teams work in GitHub hence the support link above.

Closing as not supported by the API. A feature request will need to be filed with the API owner to have application permission supported.

[jpsebasti]

Thank you

---

From: Peter Ombwa @.> Sent: Tuesday, June 13, 2023 4:05 PM To: microsoftgraph/msgraph-sdk-powershell @.> Cc: @. @.>; Author @.***> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] Reset-MgUserAuthenticationMethodPassword called from Azure Automation using User Defined Managed Identity unauthorized error (Issue #2058)

You can specify Identity and Access Management as the category of your feature request: [image]https://user-images.githubusercontent.com/7061532/245619999-81cf8b64-cc18-4ca3-a607-ec3a182dfa9f.png

The API owner will then triage and review the feature request. I'll also internally notify the PM in charge of Azure AD migration of this scenario. Unfortunately, not all teams work in GitHub hence the support link above.

Closing as not supported by the API. A feature request will need to be filed with the API owner to have application permission supported.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2058#issuecomment-1590092817, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIN43OXYFEQDHPNPO4NMMI3XLDP3FANCNFSM6AAAAAAYXOC5BI. You are receiving this because you authored the thread.Message ID: @.***>