Not many things in IT easier than resetting a user’s password, right? Well, I found the Graph SDK PowerShell module’s
Reset-MgUserAuthenticationMethodPassword to be pretty unintuitive. But as with many things, it’s not hard to use once you have an example. I couldn’t find one online, including the usual places (the “example” tab on the resetpassword api article & the cmdlet article), so here ya go:
Connect-MgGraph Select-MgProfile -Name beta $user = firstname.lastname@example.org $method = Get-MgUserAuthenticationPasswordMethod -UserId $user Reset-MgUserAuthenticationMethodPassword -UserId $user -RequireChangeOnNextSignIn -AuthenticationMethodId $method.id -NewPassword "zQ7!Ra3MM6ha"
But why use this cmdlet anyway?
Well, in addition to all the reasons tied to the deprecation of Azure AD Graph, and the potential demise of the msonline & azuread PowerShell modules, Microsoft’s Graph beta API currently stands on a short list of places to reset a password and have it also write back to the on-premises Active Directory.
Supported administrator operations
- Any administrator self-service voluntary change password operation.
- Any administrator self-service force change password operation, for example, password expiration.
- Any administrator self-service password reset that originates from the password reset portal.
- Any administrator-initiated end-user password reset from the Azure portal.
- Any administrator-initiated end-user password reset from the Microsoft Graph API.
Using this API is especially handy if you have a multi-domain hybrid environment, where connecting to the requisite domain controllers is obnoxious, or in scenarios when you don’t have connectivity to the on-premises Active Directory in the first place.
What is an AuthenticationMethodId?
As you can see in the above code, we use
Get-MgUserAuthenticationPasswordMethod to first learn the correct “AuthenticationMethodId”. These are Microsoft’s way to define the various types of authentication you can use with Azure AD, including FIDO2 keys, passwords, the Authenticator app, etc.
As of this writing, there are 9 methods to choose from. When resetting a password, you want passwordAuthenticationMethod, which returns a well-known GUID of
28c10230-6103-485e-b985-444c60001490. In fact, this means you may not need to use
Get-MgUserAuthenticationPasswordMethod, making this approach faster:
Reset-MgUserAuthenticationMethodPassword -UserId $user -RequireChangeOnNextSignIn -AuthenticationMethodId "28c10230-6103-485e-b985-444c60001490" -NewPassword "zQ7!Ra3MM6ha"
Arguably, a cmdlet whose sole purpose is to reset passwords should have this baked in already, but I suppose the current implementation allows for future scalability.
thank you for writing great article.
but I don’t want require to change password when users login with this password.
So what should I do?
I don’t remember if this was exposed in Microsoft Graph, but you can do this from the old cmdlets.
$Martin = Get-AzureADUser -ObjectId email@example.com
$Martin.PasswordProfile.ForceChangePasswordNextLogin = $false
Set-AzureADUser -ObjectId $Martin.ObjectId -PasswordProfile $Martin.PasswordProfile
Thank You for reply to me. I try that cmdlets, but it doesn’t work to me.
It says “Can’t find ForceChangePasswordNextLogin”.
And what should I do to make cmdlets with using Microsoft Graph?
Honestly, I don’t know how to make cmdlets like you.
So if you have a time to reply to me, I want let me know how to make Password Change without Update cmdlets with Microsoft Graph.
Sorry for bad English cuz I’m Japanese.
‘ It says “Can’t find ForceChangePasswordNextLogin”.’
Are you using this as a parameter? If so, look again at what I posted. The parameter is -PasswordProfile, but in line 2, we’re first creating a password profile to use.
Also, it’s Mike, not Mark. 🙂
I tried running this command, and it ran without issue. However, when It try to sign in with the new password, it doesn’t work. The only password is still the working password. I am a global administrator in Azure.
It doesn’t work for me. First, it didn’t like the -RequireChangeOnNextSignIn, so I removed it. Then it errored saying “The user is not authorized to access this resource”
FullyQualifiedErrorId : accessDenied,Microsoft.Graph.PowerShell.Cmdlets.ResetMgUserAuthenticationMethodPassword_ResetExpanded1
I am a global admin.
You need to make sure you have the “UserAuthenticationMethod.ReadWrite.All” permission, as discussed here: https://learn.microsoft.com/en-us/graph/api/authenticationmethod-resetpassword?view=graph-rest-beta&tabs=http#permissions
You can add this permission automatically when you connect, by using the -scopes parameter, at least once:
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
That worked! Thanks a bunch!