Azure B2C ROPC flow (Web Api): Let Users reset their password

Question

I've just found out how to update the password of a signed-in user via Graph api in my Web Api. Now I need to send a user that is not signed-in an email with a new password so they can sign in and change their password.

How can I send an email to an User without a signed-in user (so no token)? And if that's not possible, how can I give users the ability to change their forgotten passwords in my Web API (ROPC flow)? Thank you very much!

Answer 1

I tried to reproduce the same in my environment and got below results:

I registered one application and added API permission like below:

Now I generated one access token using ROPC flow via Postman like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id: <appID>
grant_type:password
scope: https://graph.microsoft.com/Directory.AccessAsUser.All
username:[email protected]↵
password: xxxxxxxxxxx
client_secret:<secret>

Response:

Now, I used the above token in below graph call and changed password successfully like below:

POST https://graph.microsoft.com/beta/users/<userID>/changePassword
Content-type: application/json

{
    "currentPassword": "xxxxxxxxxx",
    "newPassword": "yyyyyyyyyy"
}

Response:

Reference:

How to reset and change the password using Microsoft graph API of Azure AD B2C users by AmanpreetSingh-MSFT