You are currently offline, waiting for your internet to reconnect

"Authorization_RequestDenied" error message when you try to change a password if you use Graph API

PROBLEM
If you try to change the password of a Microsoft Azure Active Directory (Azure AD) user, and if the Organizational Role setting for that user is set to any "Administrator" option, the process fails and generates the following error message:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

When you give the Read and write directory data permission to your application or Application Service Principal, you enable the application to change the password of a typical Azure AD user by using Graph API. This setting is shown in the following screen shot.
permissions screen
You can delegate an Azure AD user as an administrator by changing the user's Organizational Role setting, as shown in the following screen shot.
role screen
CAUSE
This problem occurs because the users who have any of the "Administrator" organizational roles are not members of "Company Administrator" or "User Account Administrator" in the Office 365 administrative roles.
SOLUTION
To resolve this problem, add your application to "Company Administrator" in the Office 365 administrative roles. To do this, run all the following Azure AD Module for Windows PowerShell (MSOL) cmdlets:

   #-----------------------------------------------------------   # This will prompt you for your tenant's credential   # You should be able to use your your Azure AD administrative user name   # (in the admin@tenant.onmicrosoft.com format)   #-----------------------------------------------------------   Connect-MsolService       #-----------------------------------------------------------   # Replace the Application Name with the name of your    # Application Service Principal   #-----------------------------------------------------------   $displayName = "Application Name"   $objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId       #-----------------------------------------------------------   # This will add your Application Service Prinicpal to    # the Company Administrator role   #-----------------------------------------------------------   $roleName = "Company Administrator"                 Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId
Also, you must add your application to "User Account Administrator" in the Office 365 administrative roles if the Azure AD user has any of the following "Administrator" organizational roles:
  • Global Administrator
  • Billing Administrator
  • Service Administrator

To do this, run all the following MSOL cmdlets:

   #-----------------------------------------------------------   # This will prompt you for your tenant's credential   # You should be able to use your your Azure AD administrative user name   # (in the admin@tenant.onmicrosoft.com format)   #-----------------------------------------------------------   Connect-MsolService      #-----------------------------------------------------------   # Replace the Application Name with the name of your    # Application Service Principal   #-----------------------------------------------------------   $displayName = "Application Name"   $objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId      #-----------------------------------------------------------   # This will add your Application Service Principal to    # the Company Administrator role   #-----------------------------------------------------------   $roleName = "User Account Administrator"     Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId
After you run both sets of cmdlets, your application will be enabled to change the password of all "Administrator" organizational roles.

Note It can take up to 30 minutes for the permissions to be applied to the Application Service Principal after you add the permissions to the Office 365 administrative roles.
MORE INFORMATION
For more information about how to reset user passwords by using Graph API, see the following Microsoft Azure website:

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 3004133 - Last Review: 11/11/2015 18:18:00 - Revision: 3.0

Microsoft Office 365, Microsoft Azure Active Directory

  • o365022013 o365 o365e o365m o365a kbgraphxlink KB3004133
Feedback
/body>