AzureAD driver getting 403 Forbidden error when changing passwords

We use OpenText Identity Manager to create and maintain users on AzureAD/Entra, using the AzureAD Driver. It all works fine except for passwords; we get the 403 Forbidden error when we change a password and the driver stops. We have set many MS Graph API permissions (52 of them) on the registered application including Directory.ReadWrite.All (delegated and application) and Directory.AccessAsUser.All (delegated) as per the documentation. The user we connect to AzureAD with has all the roles mentioned in the documentation (plus Global Admin, which is probably overkill and not a good idea).

Is there an alternative API permission that we need? 

Strangely enough when I log in to the MS Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) using the same account used by the driver to connect, I can change the password using the PATCH method, URL: graph.microsoft.com/.../<upn> and the following JSON in the body:

{
    "passwordProfile": {
        "forceChangePasswordNextSignIn": false,
        "password": "Cold Revenge 1234"
    }
}
The error in the driver log is:

DirXML Log Event -------------------
Driver: \DMU-META\dmu\DirXML-DriverSet\AzureAD
Channel: Subscriber
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-07-08T14:05:29","request-id":"ae0a4038-494d-468b-ac7b-926e89faeef7","client-request-id":"ae0a4038-494d-468b-ac7b-926e89faeef7"}}}
 

Its not caused by password policy violation because that produces a different error.

  • 0

    To the forum administrator/adjuducator: I had an email saying this post contains forbidden words.  I can only assume this is the decision of some AI bot as the statement is baffling.  Unless of course the word "forbidden" is forbidden.  Or perhaps it is because the word "kill" in "overkill".  Where is the common sense nowadays?