If an Azure Active Directory user forgets his password, an Azure (Microsoft 365) tenant administrator can reset it in several ways: using the Azure Portal, through PowerShell, or by enabling the self-service password reset (SSPR) feature.
To reset a user’s password, your account must have one of the following built-in Azure: User Administrator or Password Administrator.
Reset User’s Password in Azure Portal
The easiest way to reset a user password in Azure is to use the Azure Portal web interface (or Microsoft 365 Admin Center):
- Sign in to https://portal.azure.com/ and go to Azure Active Directory -> Users;
- Select a user and click Reset Password;
- You will receive a notification that a temporary password will be assigned to the user:
The user '[email protected]' will be assigned a temporary password that must be changed on the next sign in. To display the temporary password, click 'Reset password'.
Click Reset Password.
- Azure will generate a new temporary password for the user and show it on the screen;
- Tell the new password to the user, and the next time they sign in to any Microsoft 365 app using Modern Authentication, they will be prompted to change the password;
Your need to update your password because this is the first rime you are signing in, or because your password has expired.
- You can make sure that the user has authenticated successfully using the Azure sign-in logs.
Here are some important things to keep in mind:
- A temporary password never expires.
- If your on-premises Active Directory is synchronized with Azure through the Azure AD Connector, the Password Writeback feature must be enabled in the Connector settings in order to reset the ADDS user’s password from the cloud.
You can enable self-service password reset (SSPR) on your Azure tenant. You can enable SSPR for a group of users or all AAD users in Azure Active Directory -> Password reset -> Properties.
To reset their passwords, users can use allowed authentication methods. In addition to standard MFA methods, they can use security questions and office phone calls. You can use one or two authentication methods.
Resetting Azure AD User Password with PowerShell
When you reset a user’s password via the Azure Portal, a new temporary password is automatically generated. However, you can set a new user password manually using PowerShell.
You can use the Azure AD module to reset a user’s password. Connect to your Azure tenant:
Connect-AzureAD
Set a new password and convert it to SecureString (see the article on how to use passwords in PowerShell scripts):
$newPass = ConvertTo-SecureString 'Str0ngNewPa$$1' -AsPlainText –Force
Add-Type -AssemblyName System.Web
$genpass=[System.Web.Security.Membership]::GeneratePassword(9,2)
$newPass = ConvertTo-SecureString $genpass -AsPlainText –Force
Get the Object ID of the user for which you want to change the password using its UserPrincipalName:
$userObjectId=(Get-AzureADUser -filter "userPrincipalName eq '[email protected]'").ObjectID
Apply the new password to the Azure user by ObjectID:
Set-AzureADUserPassword -ObjectId $userObjectId -Password $newPass
If you want a user to change the password at the next sign-in, add the -ForceChangePasswordNextLogin $true option.
You won’t be able to view the date and time when the user changed the password using the Azure AD PowerShell module. You can get this information using Microsoft Graph API or the legacy MSOnline module.
If you have the MSOnline PowerShell module installed, connect to your tenant:
Connect-MsolService
Display the LastPasswordChangeTimeStamp value:
Get-MsolUser -UserPrincipalName '[email protected]'| Select DisplayName,UserPrincipalName,LastPasswordChangeTimeStamp
If the password expiration option is enabled in the Azure AD password policy, you can get the date when a user password expires using PowerShell:
$user=Get-MsolUser -UserPrincipalName '[email protected]'
$User.LastPasswordChangeTimestamp.AddDays($PasswordPolicy.ValidityPeriod)
msDS-UserPasswordExpiryTimeComputed constructed attribute.Or you can access the Microsoft Graph API from PowerShell to get the date and time the user’s password was changed and the user creation data in Azure:
$ApplicationID = "your-app-ID"
$TenatDomainName = "your-tenant-ID"
$AccessSecret = "your-app-secret"
$Body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
client_Id = $ApplicationID
Client_Secret = $AccessSecret
}
$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" -Method POST -Body $Body
$token = $ConnectGraph.access_token
$GrapUserUrl = 'https://graph.microsoft.com/v1.0/users?$select= userprincipalname,accountenabled,signInActivity,createdDateTime,lastPasswordChangeDateTime'
$users=(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GrapUserUrl -Method Get).value
$users | where userprincipalname –eq '[email protected]' | select userprincipalname,accountenabled,createdDateTime,lastPasswordChangeDateTime
Using Microsoft Graph API and the POST method, you can even reset a user password. Use the POST request below:
POST https://graph.microsoft.com/v1.0/me/changePassword
Content-Type: application/json
{
"currentPassword": "OldPass123!",
"newPassword": "NewP@ss2!"
}
1 comment
hello,
and how do we get in msgraph the next date of the expiration.. i mean lastpasswordchangetime +30 days .eg