Azure B2C 用户无权通过 Graph API 更改未签名用户的密码答案

【问题标题】：Azure B2C user has no access permissions to change password of unsigned user via Graph APIAzure B2C 用户无权通过 Graph API 更改未签名用户的密码
【发布时间】：2021-06-25 14:08:09
【问题描述】：

我创建图形 api：

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(Configuration.GetSection("AzureAdB2C").GetValue<string>("ApplicationId"))
                .WithTenantId(Configuration.GetSection("AzureAdB2C").GetValue<string>("TenantId"))
                .WithClientSecret(Configuration.GetSection("AzureAdB2C").GetValue<string>("ClientSecret"))
                .Build();
            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
            GraphServiceClient graphClient = new GraphServiceClient(authProvider);
            _graphClient = graphClient;

并尝试调用更新用户密码：

User user = new User()
            {
                PasswordProfile = new PasswordProfile
                {
                    Password = "123456aaA@",
                    ForceChangePasswordNextSignIn = false,
                    ForceChangePasswordNextSignInWithMfa = false
                },
            };
            await _graphClient.Users[entity.Id.ToString()].Request().UpdateAsync(user);

但是在执行的时候会报错我们没有足够的权限：

Microsoft.Graph.ServiceException
  HResult=0x80131500
  Message=Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Inner error:
    AdditionalData:
    date: 2021-06-25T12:18:57
    request-id: 424cffe2-8775-440c-ad0d-c894194cd9c7
    client-request-id: 424cffe2-8775-440c-ad0d-c894194cd9c7
ClientRequestId: 424cffe2-8775-440c-ad0d-c894194cd9c7

Permissions in Azure for Graph:

我需要添加什么权限？

【问题讨论】：

标签： c# azure microsoft-graph-api azure-ad-b2c

【解决方案1】：

更新passwordProfile 属性时，需要以下权限：Directory.AccessAsUser.All

（来自https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http）

【讨论】：

在 AD B2C 中我们不允许 Directory.AccessAsUser.All