[midPoint] Changing user password in Azure AD with Microsoft Graph API connector

Jussi Jokela jussi.jokela at fiarone.com
Tue Jan 11 15:55:47 CET 2022


Hi everyone,

Okay, I think I was able to solve this issue by myself.

There seems to be a problem in Evolveum MS Graph API connector. When updating user, the connector executes attributes one by one, because Microsoft Graph does not support SharePoint and Azure AD attributes in one JSONObject.
However this causes problems when changing password and provisioning the forceChangePasswordNextSignIn attribute, which I guess Azure AD wants to be in one JSON object.

So I was able to overcome this issue by modifying the connector and provisioning attributes as a single JSON object when password is changed.


Best regards,
Jussi Jokela

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Marc Fueller via midPoint <midpoint at lists.evolveum.com>
Sent: Monday, January 3, 2022 14:01
To: Jussi Jokela via midPoint <midpoint at lists.evolveum.com>
Cc: Marc Fueller <marc.fueller at daasi.de>
Subject: Re: [midPoint] Changing user password in Azure AD with Microsoft Graph API connector


Hi Jussi,


this behavior could be caused by a policy on Azure AD that is setting the flag for "must change password at next logon" in UserAccountControl whenever the password is changed.


Best regards,

Marc



Am 03.01.22 um 12:37 schrieb Jussi Jokela via midPoint:
Hi everyone,

Anyone having some ideas for this? Currently a blocker for me.


Best regards,
Jussi Jokela
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com><mailto:midpoint-bounces at lists.evolveum.com> on behalf of Jussi Jokela via midPoint <midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com>
Sent: Friday, December 31, 2021 11:32
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com> <midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com>
Cc: Jussi Jokela <jussi.jokela at fiarone.com><mailto:jussi.jokela at fiarone.com>
Subject: [midPoint] Changing user password in Azure AD with Microsoft Graph API connector

Hi everyone,

I'm having some difficulties with Azure AD and MS Graph API connector (1.0.0.1-SNAPSHOT).

When I'm changing users password in midpoint, Azure still wants that user to change password in next login to Azure (password expired or first login error). I'm also mapping the passwordProfile.forceChangePasswordNextSignIn = false, but looks like this has no effect? Anyone else having same problems?

Weird thing is, when I'm creating a new user in midpoint and this user is also provisioned to Azure AD, this user can sign in without forced password change.


Best regards,
Jussi Jokela



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint


--
Marc Füller
Consultant

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax:   +49 7071 407109-9
email: marc.fueller at daasi.de<mailto:marc.fueller at daasi.de>
web:   www.daasi.de<http://www.daasi.de>
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220111/e3e03153/attachment-0001.htm>


More information about the midPoint mailing list