Table of Contents

The Legacy Problem

When this question is asked, the most common answers online unfortunately still use old PowerShell modules (Azure AD, Azure AD Preview, MSOL), which are being deprecated

To try and help remedy this I have collected some solutions using the PowerShell Graph SDK.

! Necessary permissions are best found using Find-MgGraphCommand "<CmdLet>"


Change OWN password if you know the old one

This is probably the first thing you’ll find in the API documentation

! Important: This endpoint can only be used by the user currently authenticated against the Graph API !

# You can use the User Principal Name (UPN) or the Object ID (OID)
# Important: It must be the currently authenticated user
$userId = (Get-MgContext).Account
$params = @{
    currentPassword = "<Current_Password>"
    newPassword = "<New_Password>"
}
Update-MgUserPassword -UserId $userId -BodyParameter $params

# Alternative without Microsoft.Graph.Users.Actions module:
Invoke-MgGraphRequest POST "/v1.0/me/changePassword" -Body $params

The use cases are limited because you have to authenticate against the Graph API in advance, only to then enter the password again. Or maybe I’m just not creative enough.

Much more interesting is probably:


As an Admin, Setting a User’s Password

This possibility is easily overlooked in the documentation and discourse. You can set a user’s password, without them having to change it at the next login

Unless you’re, for example, automatically rotating the password of a service account or have another very good reason, forceChangePasswordNextSignIn = $true should be used

If the changes are supposed to be executed through the Enterprise Application, it has to be assigned an Entra ID Admin Role

Permission Prerequisites


# You can use either UPN or the Object-ID (OID)
$userId = "<UserId>"

$params = @{
  passwordProfile = @{
    forceChangePasswordNextSignIn = $false
    password = "<New_Passwort>"
  }
}

Update-MgUser -UserId $userId -BodyParameter $params

# Without additional Module
Invoke-MgGraphRequest PATCH "/v1.0/users/$userId" -Body $params


As an Admin, Changing a User’s Password

With an appropriate Entra ID Admin Role you can change the authentication methods for other Users.

! Important: This endpoint cannot be used to reset your own password !

Caution – resetting passwords through this endpoint is only possible with delegate Permissions – it cannot be done with Application Permissions

"UserAuthenticationMethod.ReadWrite.All" grants write access for Microsoft Authenticator, FIDO Keys, etc., even on privileged users!
An attacker with such an App Registration could, for example, remove the Authenticator of a Global Admin

# Optional, if this parameter is not specified, Entra ID will provide an auto-generated password in the response
# The password set here must be changed by the user immediately
$params = @{newPassword = "<Neues_Passwort>"}

# You can use the User Principal Name (UPN) or the Object ID (OID)
$userId = "<UserId>"

# Authentication Method "Password" has a static ID
$authMethodId = "28c10230-6103-485e-b985-444c60001490"

Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authMethodId -BodyParameter $params

# Without Microsoft.Graph.Users.Actions Module:
Invoke-MgGraphRequest POST "/v1.0/users/$userId/authentication/methods/$authMethodId/resetPassword" -Body $params


If no initial password is set, you should capture the response for further processing:

$res = Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authMethodId
$res = Invoke-MgGraphRequest POST "/v1.0/users/$userId/authentication/methods/$authMethodId/resetPassword" 

$res.NewPassword

Result:

PasswordOutput


Closing Words

Hopefully, I was able to clear up some confusion or help with the replacement of old modules – I dealt with this topic because I wanted to set an initial password for a PAM solution and was rather unhappy with the articles I found. If there is anything to improve, please let me know.


I will not moderate comments and I do not want your email address; please participate in the discussion through my associated LinkedIn Post.


If you are interested in the things I do follow me on LinkedIn.


Translation assisted by ChatGPT

Last modified: 4. November 2024

Comments

Write a Reply or Comment