The Legacy Problem
When this question is asked, the most common answers online unfortunately still use old PowerShell modules (Azure AD, Azure AD Preview, MSOL), which are being deprecated
To try and help remedy this I have collected some solutions using the PowerShell Graph SDK.
! Necessary permissions are best found using
Find-MgGraphCommand "<CmdLet>"
Change OWN password if you know the old one
This is probably the first thing you’ll find in the API documentation
! Important: This endpoint can only be used by the user currently authenticated against the Graph API !
# You can use the User Principal Name (UPN) or the Object ID (OID)
# Important: It must be the currently authenticated user
$userId = (Get-MgContext).Account
$params = @{
currentPassword = "<Current_Password>"
newPassword = "<New_Password>"
}
Update-MgUserPassword -UserId $userId -BodyParameter $params
# Alternative without Microsoft.Graph.Users.Actions module:
Invoke-MgGraphRequest POST "/v1.0/me/changePassword" -Body $params
The use cases are limited because you have to authenticate against the Graph API in advance, only to then enter the password again. Or maybe I’m just not creative enough.
Much more interesting is probably:
As an Admin, Setting a User’s Password
This possibility is easily overlooked in the documentation and discourse. You can set a user’s password, without them having to change it at the next login
Unless you’re, for example, automatically rotating the password of a service account or have another very good reason,
should be used
forceChangePasswordNextSignIn = $true
If the changes are supposed to be executed through the Enterprise Application, it has to be assigned an Entra ID Admin Role
# You can use either UPN or the Object-ID (OID)
$userId = "<UserId>"
$params = @{
passwordProfile = @{
forceChangePasswordNextSignIn = $false
password = "<New_Passwort>"
}
}
Update-MgUser -UserId $userId -BodyParameter $params
# Without additional Module
Invoke-MgGraphRequest PATCH "/v1.0/users/$userId" -Body $params
As an Admin, Changing a User’s Password
With an appropriate Entra ID Admin Role you can change the authentication methods for other Users.
! Important: This endpoint cannot be used to reset your own password !
Caution – resetting passwords through this endpoint is only possible with delegate Permissions – it cannot be done with Application Permissions
"UserAuthenticationMethod.ReadWrite.All" grants write access for Microsoft Authenticator, FIDO Keys, etc., even on privileged users!
An attacker with such an App Registration could, for example, remove the Authenticator of a Global Admin
# Optional, if this parameter is not specified, Entra ID will provide an auto-generated password in the response
# The password set here must be changed by the user immediately
$params = @{newPassword = "<Neues_Passwort>"}
# You can use the User Principal Name (UPN) or the Object ID (OID)
$userId = "<UserId>"
# Authentication Method "Password" has a static ID
$authMethodId = "28c10230-6103-485e-b985-444c60001490"
Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authMethodId -BodyParameter $params
# Without Microsoft.Graph.Users.Actions Module:
Invoke-MgGraphRequest POST "/v1.0/users/$userId/authentication/methods/$authMethodId/resetPassword" -Body $params
If no initial password is set, you should capture the response for further processing:
$res = Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authMethodId
$res = Invoke-MgGraphRequest POST "/v1.0/users/$userId/authentication/methods/$authMethodId/resetPassword"
$res.NewPassword
Result:
Closing Words
Hopefully, I was able to clear up some confusion or help with the replacement of old modules – I dealt with this topic because I wanted to set an initial password for a PAM solution and was rather unhappy with the articles I found. If there is anything to improve, please let me know.
I will not moderate comments and I do not want your email address; please participate in the discussion through my associated LinkedIn Post.
If you are interested in the things I do follow me on LinkedIn.
Translation assisted by ChatGPT
Comments