0

I've just found out how to update the password of a signed-in user via Graph api in my Web Api. Now I need to send a user that is not signed-in an email with a new password so they can sign in and change their password.

How can I send an email to an User without a signed-in user (so no token)? And if that's not possible, how can I give users the ability to change their forgotten passwords in my Web API (ROPC flow)? Thank you very much!

ManuBera
  • 5
  • 4

1 Answers1

0

I tried to reproduce the same in my environment and got below results:

I registered one application and added API permission like below:

enter image description here

Now I generated one access token using ROPC flow via Postman like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id: <appID>
grant_type:password
scope: https://graph.microsoft.com/Directory.AccessAsUser.All
username:devi@sritenantb2c.onmicrosoft.com↵
password: xxxxxxxxxxx
client_secret:<secret>

Response:

enter image description here

Now, I used the above token in below graph call and changed password successfully like below:

POST https://graph.microsoft.com/beta/users/<userID>/changePassword
Content-type: application/json

{
    "currentPassword": "xxxxxxxxxx",
    "newPassword": "yyyyyyyyyy"
}

Response:

enter image description here

Reference:

How to reset and change the password using Microsoft graph API of Azure AD B2C users by AmanpreetSingh-MSFT

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Thank you for your answer! Let's imagine a real life scenario: 1) User tries to log in, but the password is not correct. 2) User can select "Reset Password" via the UI in client application 3) Now the user would need to receive an email with either a link that gets them to a website where they can change their password or they receive a new password they can use to log in and change their password as a logged in user. In any case, the Web Api would have to send an email and I don't know how to do that with the Graph Api without signed in User. – ManuBera Feb 07 '23 at 15:03
  • You can check [this thread](https://stackoverflow.com/questions/75296873/force-user-to-login-after-resetting-password-in-azure-adb2c/75305857#75305857) that I answered recently where user will get an email to verify, once they selected **Forgot password** link. – Sridevi Feb 07 '23 at 15:09
  • Thank you again for your quick reply! This solution only seems to work with SignUpSignIn user flow. I need my Web Api to handle it, since I don't have a browser to sign up / in. Imagine a game that has it's own sign-in UI, with a "Reset Password" button. The button would send a request to the Web Api and the Web Api would send an email to the email address of the User (but I'm open for other suggestions that don't involve a browser sign up/in flow). – ManuBera Feb 07 '23 at 15:45