We use OpenText Identity Manager to create and maintain users on AzureAD/Entra, using the AzureAD Driver. It all works fine except for passwords; we get the 403 Forbidden error when we change a password and the driver stops. We have set many MS Graph API permissions (52 of them) on the registered application including Directory.ReadWrite.All (delegated and application) and Directory.AccessAsUser.All (delegated) as per the documentation. The user we connect to AzureAD with has all the roles mentioned in the documentation (plus Global Admin, which is probably overkill and not a good idea).
Is there an alternative API permission that we need?
Strangely enough when I log in to the MS Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) using the same account used by the driver to connect, I can change the password using the PATCH method, URL: graph.microsoft.com/.../<upn> and the following JSON in the body:
DirXML Log Event -------------------
Driver: \DMU-META\dmu\DirXML-DriverSet\AzureAD
Channel: Subscriber
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-07-08T14:05:29","request-id":"ae0a4038-494d-468b-ac7b-926e89faeef7","client-request-id":"ae0a4038-494d-468b-ac7b-926e89faeef7"}}}
Its not caused by password policy violation because that produces a different error.