Blog posts tagged with: ActiveDirectory
Microsoft Graph: to change user passwords, an app can't use API permissions instead just needs User Administrator role
User Administrator (or similar) role is needed for a registered app to change a user's passwords within Microsoft Graph.
It is very hard to find out what roles an app has been granted. When you add a role, document this within the notes section of the app's blade in the Azure portal. Microsoft ought to fix this.