Resetting Azure AD User Passwords with Microsoft Graph PowerShell

Not many things in IT easier than resetting a user’s password, right? Well, I found the Graph SDK PowerShell module’s Reset-MgUserAuthenticationMethodPassword to be pretty unintuitive. But as with many things, it’s not hard to use once you have an example. I couldn’t find one online, including the usual places (the “example” tab on the resetpassword api article & the cmdlet article), so here ya go:

Connect-MgGraph
Select-MgProfile -Name beta
$user = user1@example.com
$method = Get-MgUserAuthenticationPasswordMethod -UserId $user
  
Reset-MgUserAuthenticationMethodPassword -UserId $user -RequireChangeOnNextSignIn -AuthenticationMethodId $method.id -NewPassword "zQ7!Ra3MM6ha" 

But why use this cmdlet anyway?

Well, in addition to all the reasons tied to the deprecation of Azure AD Graph, and the potential demise of the msonline & azuread PowerShell modules, Microsoft’s Graph beta API currently stands on a short list of places to reset a password and have it also write back to the on-premises Active Directory.

Supported administrator operations

  • Any administrator self-service voluntary change password operation.
  • Any administrator self-service force change password operation, for example, password expiration.
  • Any administrator self-service password reset that originates from the password reset portal.
  • Any administrator-initiated end-user password reset from the Azure portal.
  • Any administrator-initiated end-user password reset from the Microsoft Graph API.

Using this API is especially handy if you have a multi-domain hybrid environment, where connecting to the requisite domain controllers is obnoxious, or in scenarios when you don’t have connectivity to the on-premises Active Directory in the first place.

What is an AuthenticationMethodId?

As you can see in the above code, we use Get-MgUserAuthenticationPasswordMethod to first learn the correct “AuthenticationMethodId”. These are Microsoft’s way to define the various types of authentication you can use with Azure AD, including FIDO2 keys, passwords, the Authenticator app, etc.

(Image source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods)

As of this writing, there are 9 methods to choose from. When resetting a password, you want passwordAuthenticationMethod, which returns a well-known GUID of 28c10230-6103-485e-b985-444c60001490. In fact, this means you may not need to use Get-MgUserAuthenticationPasswordMethod, making this approach faster:

Reset-MgUserAuthenticationMethodPassword -UserId $user -RequireChangeOnNextSignIn -AuthenticationMethodId "28c10230-6103-485e-b985-444c60001490" -NewPassword "zQ7!Ra3MM6ha"

Arguably, a cmdlet whose sole purpose is to reset passwords should have this baked in already, but I suppose the current implementation allows for future scalability.

5 thoughts on “Resetting Azure AD User Passwords with Microsoft Graph PowerShell

  1. hi mark.
    thank you for writing great article.
    but I don’t want require to change password when users login with this password.
    So what should I do?

    • I don’t remember if this was exposed in Microsoft Graph, but you can do this from the old cmdlets.

      $Martin = Get-AzureADUser -ObjectId 7777777@example.com

      $Martin.PasswordProfile.ForceChangePasswordNextLogin = $false

      Set-AzureADUser -ObjectId $Martin.ObjectId -PasswordProfile $Martin.PasswordProfile

      • Hi Mark.
        Thank You for reply to me. I try that cmdlets, but it doesn’t work to me.
        It says “Can’t find ForceChangePasswordNextLogin”.
        And what should I do to make cmdlets with using Microsoft Graph?
        Honestly, I don’t know how to make cmdlets like you.
        So if you have a time to reply to me, I want let me know how to make Password Change without Update cmdlets with Microsoft Graph.
        Sorry for bad English cuz I’m Japanese.
        Thanks.

      • ‘ It says “Can’t find ForceChangePasswordNextLogin”.’

        Are you using this as a parameter? If so, look again at what I posted. The parameter is -PasswordProfile, but in line 2, we’re first creating a password profile to use.

        Also, it’s Mike, not Mark. 🙂

  2. Hi Mike,

    I tried running this command, and it ran without issue. However, when It try to sign in with the new password, it doesn’t work. The only password is still the working password. I am a global administrator in Azure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s