I have a b2c environment setup and linked to an application which allows users to sign up.
One of the processes I want to run on a schedule is to update the PasswordProfile of users so that in certain situations I can force users to change their password on their next sign in attempt.
As documented (https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=csharp#permissions), I have added and consented to the Directory.AccessAsUser.All (Delegated) permission for the application accessing Microsoft Graph.
Request:
https://graph.microsoft.com/v1.0/users/{userId}
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true
}
}
When I run this either in C# code or through Postman, it returns the following error message:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
...
However I have been able to run the same request through https://developer.microsoft.com/en-us/graph/graph-explorer, where I have been able to update the PasswordProfile of a user.
The strange thing, is if I then return to the C# code or Postman, and run the same operation against the SAME user that I updated in Graph Explorer, it now works.
Therefore it appears that I have the correct permissions set, but I can only update PasswordProfile if it is not already null. However, when the user is created when signing up through the B2C screens, the PasswordProfile is set to null at this point.
Has anyone come across this before? Or able to reproduce this?
