Microsoft Graph: to change user passwords, an app can't use API permissions instead just needs User Administrator role
by Patrick Lee on 25 Aug 2022 in categories tech with tags ActiveDirectory ADB2C Azure MicrosoftGraphThe documentation for Microsoft Graph is not as good as it should be in my opinion.
If you want a registered app of yours to be able to change users' passwords then although you can add, edit and delete user profiles via granting the app API permissions within Microsoft Graph, the app can't change users' passwords (at least not with application permissions [running as the application]).
Instead, you can add, edit and delete users, and also change their passwords (via the Update [patch] method on the user, either via the Graph API SDK or via calling the REST API) without any Graph API permissions, but instead giving your app an Identity (managed identity) and giving that identity User Administrator role. This can be used within Azure Active Directory, or an ADB2C directory.
(Adding a role to a new app is easy. Finding out which roles an existing app already has is not easy - see this post).