Cannot reset password in Azure B2C — Quick Solution

A recent problem I faced on a client project dealt with Azure b2c password management from C# .NET application. The scenario was following — We are using password reset workflow from our application, where when a user wants to reset his/her password, we send them an activation link, clicking on which we confirm that it is indeed the user who wanted to reset their password. Then we reset the password with a strong random string that passes the Azure password policy and send this to the customer. Customer is forced to change the password on next login with this temporary password.
We recently moved the resources to new tenant and new subscription in Azure and after that the password reset didn’t work anymore. We were getting 403 error with message “Insufficient Privileges”. What was the issue?

After hours of investigation, we found out following problem —

We are using Graph API to reset the password. The API that we are using is, PATCH with endpoint “users/{objectId}”, with PasswordProfile data object. So far so good. To use this API, according to Microsoft documentation, the B2C App needs Directory.AccessAsUser.All. This is something every StackOverflow question and even some Microsoft Forums. What both of those places miss is the clear instruction of how to do it. (Our problem was not that however, but I will explain that a little later).
So to set the correct permission you need to do following —

  1. Go to Azure Portal. Open your B2C tenant.
  2. Go to App Registrations. Click on your App.
  3. Go to API Permissions. Here under Configured Permissions. You have option to Add Permission. Click on it.
  4. Select Microsoft Graph -> Delegated Permissions -> and then under Directory, select Directory.AccessAsUser.All
  5. This permission needs Admin Access, so Grant Admin Consent for {your app name}.

That’s it. You have granted the needed permission. However, it was not our problem. We had already granted this permission. and still the password reset workflow was not working because of insufficient privileges.

After further probe, we found out a small caveat in document, that is nowhere else documented. We were missing User Administrator role assignment on our Graph API application. What is this role assignment? Graph API application needs the correct role assignement so it can perform the action. this can be set in B2C under roles and administrators.

  1. Go to B2C tenant.
  2. Click on Roles and administrators menu from left pane.
  3. Click on User Administrator. It will open the Role in new view. You can alternatively also select Helpdesk Administrator or Password Administrator.
  4. From top menu click on Add assignment and select your Graph App.

And this was exactly our problem. When we changed the tenant and Subscription (That was another hell. If you are having a CSP subscription, best luck moving your resources), we lost this role assignment. (Because you need to delete and recreate the Graph App).

The issue is, because for a specific app or identity, you don’t have a view where you can see the role assignment and this creates major confusion. Micrsoft needs to update their UX in this regard. (Are you listening Microsoft?)

Anyway that is the solution to this confusing problem. I hope this post helps someone, being in the same hell as I was couple of days ago.

In next post, I will talk about another strange problem associated with identity creation in B2C.

Until then :)

comments powered by Disqus