microsoft-graph-api - Microsoft.Graph.GraphServiceClient 允许我创建用户但不允许我更改密码

问题描述

我有一个由 Azure 中托管的 Angular SPA 和一些用于 API 的 Azure Functions 组成的系统。在一个管理应用程序中，我创建了一个应用程序，它允许管理员用户创建新的用户帐户，包括指定密码。这些新帐户也能够登录我创建的业务线应用程序。我们需要允许创建帐户的同一个人重置密码。出于某种原因，我编写的设置密码的代码不起作用。用户可以创建帐户（包括设置密码）似乎很奇怪，但由于某种原因，同一用户不能独立于创建用户帐户来设置密码。仅供参考，没有电子邮件，这些是用户帐户，因此无法请求重置密码。

这是错误：

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Access to change password operation is denied.",
    "innerError": {
      "date": "2021-01-19T21:58:35",
      "request-id": "a1bc5b50-83e9-47ae-97c7-bda4f524fa0e",
      "client-request-id": "a1bc5b50-83e9-47ae-97c7-bda4f524fa0e"
    }
  }
}

这是我的代码：

//this is the method that works
public async Task<Microsoft.Graph.User> CreateUserAsync(string givenName,
    string surname, string displayName, string userPrincipalName, string issuer, 
    string signInType, string initialPassword, GraphServiceClient graphClient) 
{
    var user = new Microsoft.Graph.User {
        AccountEnabled = true,
        GivenName = givenName,
        Surname = surname,
        DisplayName = displayName,
        Identities = new List<ObjectIdentity>() {
            new ObjectIdentity {
                Issuer = issuer, 
                IssuerAssignedId = userPrincipalName,
                SignInType = signInType
            }
        },
        PasswordProfile = new PasswordProfile {
            ForceChangePasswordNextSignIn = false,
            Password = initialPassword
        }
    };

    return await graphClient.Users
        .Request()
        .AddAsync(user);
}

//This one does not work, returns: Access to change password operation is denied.
public async Task<Microsoft.Graph.User> SetPasswordAsync(
string userName, string currentPassword, string newPassword, GraphServiceClient graphClient) 
{
    await graphClient.Users[userName].ChangePassword(currentPassword, newPassword).Request().PostAsync();

    return something here;
}

标签： microsoft-graph-apiazure-ad-b2c