Update users-passwordprofile-permissions.md

[tomatsue]

In app-only scenarios, it works without Entra roles such as the User Administrator or the Password Administrator.

Important

Required for API changes:

• Link to API.md file: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/v1.0/includes/users-passwordprofile-permissions.md
• Link to API.md file: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/includes/users-passwordprofile-permissions.md

---

Add other supporting information, such as a description of the PR changes:

ADD INFORMATION HERE

---

Important

The following guidance is for Microsoft employees only. Community contributors can ignore this message; our content team will manage the status.

After you've created your PR, expand this section for tips and additional instructions.

• do not merge is the default PR status and is automatically added to all open PRs that don't have the ready to merge label.
• Add the ready for content review label to start a review. Only PRs that have met the minimum requirements for content review and have this label are reviewed.
• If your content reviewer requests changes, review the feedback and address accordingly as soon as possible to keep your pull request moving forward. After you address the feedback, remove the changes requested label, add the review feedback addressed label, and select the Re-request review icon next to the content reviewer's alias. If you can't add labels, add a comment with #feedback-addressed to the pull request.
• After the content review is complete, your reviewer will add the content review complete label. When the updates in this PR are ready for external customers to use, replace the do not merge label with ready to merge and the PR will be merged within 24 working hours.
• Pull requests that are inactive for more than 6 weeks will be automatically closed. Before that, you receive reminders at 2 weeks, 4 weeks, and 6 weeks. If you still need the PR, you can reopen or recreate the request.

For more information, see the Content review process summary.

[tomatsue]

@microsoft-github-policy-service agree company="Microsoft"

[learn-build-service-prod]

Learn Build status updates of commit 6548523:

✅ Validation status: passed

File	Status	Preview URL	Details
api-reference/beta/includes/users-passwordprofile-permissions.md	✅Succeeded
api-reference/v1.0/includes/users-passwordprofile-permissions.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[FaithOmbongi]

I've pinged @yyuank for SME review and approval.

[FaithOmbongi]

Hi @tomatsue - Thank you for proposing this correction.

I've checked with the PG and they've confirmed that PasswordProfile.ReadWrite.All app permission is sufficient in app-only scenarios. You don't need UserReadWrite.All. Please confirm you've not seen a different behavior and I can merge this PR with the changes applies.

[FaithOmbongi]

Suggested change

	- In app-only scenarios, the calling app must be assigned *User-PasswordProfile.ReadWrite.All* and at least *User.ReadWrite.All*.
	- In app-only scenarios using Microsoft Graph application permissions, *User-PasswordProfile.ReadWrite.All* is the least privileged permission.

[FaithOmbongi]

Suggested change

	- In app-only scenarios, the calling app must be assigned *User-PasswordProfile.ReadWrite.All* and at least *User.ReadWrite.All*.
	- In app-only scenarios using Microsoft Graph application permissions, *User-PasswordProfile.ReadWrite.All* is the least privileged permission.

[tomatsue]

Hi @FaithOmbongi, thank you for checking. I've confirmed that an app with User-PasswordProfile.ReadWrite.All permissions can successfully update the passwordProfile via the API. However, for about five minutes after the password reset, the user's sign-in attempts failed with the AADSTS50057 error. In contrast, when the password was reset using both User-PasswordProfile.ReadWrite.All and User.ManageIdentities.All, the user was able to sign in with the new password immediately. Is this an expected result?

[tomatsue]

#feedback-addressed

[FaithOmbongi]

Hi @tomatsue - AADSTS50057 is definitely not expected. That adding User.ManageIdentities.All worked shows there could have been a different issue for the user account apart from the password.

I recommend the following:

• I'll proceed to merge this PR as the eng team has confirmed User-PasswordProfile.ReadWrite.All is all you need.
• I recommend you try to repro the same issue with another account and log the request ID. If you encounter the error and have to use User.ManageIdentities.All for the password reset to be complete, please file a bug via the Entra admin center or Q&A and provide the request ID so the issue can be investigated and the root cause identified. If the support team conclude we need to update the documentation, they'll advise us accordingly.

[microsoft-github-policy-service]

Thank you for your work in this PR, @@tomatsue.

When the updates in this PR are ready for external customers to use, please replace the do not merge label with ready to merge.

Check the content review workflow here.

[learn-build-service-prod]

Learn Build status updates of commit 80925b0:

✅ Validation status: passed

File	Status	Preview URL	Details
api-reference/beta/includes/users-passwordprofile-permissions.md	✅Succeeded
api-reference/v1.0/includes/users-passwordprofile-permissions.md	✅Succeeded

For more details, please refer to the build report.

[learn-build-service-prod]

Learn Build status updates of commit dbfa3d9:

✅ Validation status: passed

File	Status	Preview URL	Details
api-reference/beta/includes/users-passwordprofile-permissions.md	✅Succeeded
api-reference/v1.0/includes/users-passwordprofile-permissions.md	✅Succeeded

For more details, please refer to the build report.