How to Force a Password Change in Microsoft 365 Without Password Reset

  • Post author:
  • Post category:Main
  • Post last modified:January 12, 2024
  • Reading time:3 mins read

A question was recently asked on the Microsoft Q&A forum on whether it is possible to force a password reset on cloud-only Microsoft 365 users without having to reset their user password first.

In the scenario, the Microsoft 365 Administrator has modified the default password policy in Microsoft 365; however, without a password change, users do not yet have passwords which conform to the new policy.

Previously, with on-premises Active Directory, you could check a box to force a password change for a user on the next login. With Microsoft Entra ID (or Microsoft 365), such an option does not exist through the web portal. 

Thankfully, we can still ensure that on the next login, a password change is required by modifying the user’s password profile settings using Microsoft Graph PowerShell.

Permissions needed for Microsoft Graph

Modifying the user’s password profile requires a certain level of permission to be granted to the Microsoft Graph application. It might have been assumed that to modify user settings, the User.ReadWrite.All permission would suffice; however, modifying the password settings of a user is a protected action that cannot be done with that permission alone.

Instead, the Directory.AccessAsUser.All Permission is required, which automatically grants the user connecting to the application the same permissions as the Entra role they have assigned.

So in this case, the application must have the Directory.AccessAsUser.All permission granted to it in advance and then you can connect to it with an account assigned the User Administrator role.

To learn more about the Directory.AccessAsUser.All permission, check out my blog post: How to Simplify using Microsoft Graph PowerShell with PIM

Update a users Password Profile with Microsoft Graph

Start by connecting to Microsoft Graph with the necessary permission scopes. To initially grant the permissions to the Microsoft Graph application you must use a Global Administrator account.

Connect-MgGraph -Scopes Directory.AccessAsUser.All

Then, define the password profile hashtable and run the Update-MgUser command:

$PasswordProfile = @{
  ForceChangePasswordNextSignIn = $true
}

Update-MgUser -userid %upn% -PasswordProfile $PasswordProfile

Force a password change for all users

Sometimes, or for compliance, a critical incident may require all users to change their passwords as soon as possible. To force all users to change their passwords via PowerShell, you will first need to store your users into an array, then loop through each user to apply the new password profile. 

$AllUsers = Get-MgUser -All

$PasswordProfile = @{
  ForceChangePasswordNextSignIn = $true
}

Foreach ($users in $allusers) {
    Update-MgUser -userid %upn% -PasswordProfile $PasswordProfile
}

In most cases, you should not blindly run this script against all users in your tenant. You would be better off applying a filter to your Get-MgUser query to obtain all users, excluding your Global Admins or Break Glass accounts.

See How to Use -Filter with Microsoft Graph PowerShell, which contains many examples.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Dinesh

    Hey Daniel,

    To force password change at the next login, set it to $true, not $false. Was it a typo?
    ForceChangePasswordNextSignIn = $true

Leave a Reply