- Free Edition
- Quick Links
- Highlights
- Exchange Online
- Exchange Online Management
- Exchange Online Reports
- Exchange Online Auditing
- Exchange Online Monitoring
- Shared Mailbox Management
- Mailbox Usage Reports
- Exchange Online Mailbox Auditing
- Shared Mailbox Reports
- Exchange Online Delegation
- Mailbox Size Reports
- Mail Traffic Reports
- Non-owner Mailbox Access Report
- Public Folder Reports
- OWA Reports
- Mailbox Content Reports
- Entra ID
- Entra ID Management
- Entra ID Reports
- Entra ID Monitoring
- Entra ID Auditing
- User Management
- Contact Reports
- Security Group Reports
- License Reports
- Entra ID Delegation
- Microsoft 365 User Provisioning
- User Reports
- Distribution Group Reports
- Group Reports
- Inactive Exchange Users
- Entra ID User Auditing
- Entra ID Group Auditing
- Entra ID Logon Auditing
- Microsoft Teams
- OneDrive for Business
- SharePoint Online
- Security and compliance
- Other Features
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Hybrid AD, cloud, and file auditing and security
- ADSelfService Plus Identity security with MFA, SSO, and SSPR
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- M365 Security Plus Microsoft 365 Auditing and Alerting
- EventLog Analyzer Real-time Log Analysis & Reporting
- SharePoint Manager Plus SharePoint Reporting and Auditing
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is the Forced Password Changed Users report in M365 Manager Plus?
The Forced Password Changed Users report, one of M365 Manager Plus' Entra ID reports, helps identify users whose passwords were forcibly reset by admins. It verifies admin password resets and traces any anomalous patterns that may indicate signs of an attack. Unlike self-service password resets initiated by the user themselves, this report focuses exclusively on forced password changes and resets initiated by admins. The report includes identifiers such as the affected user's display name and User Principal Name (UPN), the identity of the admin who performed the reset, the date of the password change, the number of days elapsed since then, and more.
Why you need a Microsoft 365 Forced Password Changed Users report
Admin-initiated password resets are a normal part of IT operations, but it is also one of the clearest signals of a compromised admin account. According to the Verizon 2024 Data Breach Investigations Report, over 70% of breaches on web applications involve compromised credentials, and privilege escalation through admin account takeover is among the fastest-moving attack paths. A Forced Password Changed Users report gives your security team the visibility to detect this pattern early and contain the attack radius before it compounds into a broader breach.
- Detect insider privilege abuse: Identify admins who are performing password resets outside of business hours, on accounts outside their typical administrative scope, or at volumes inconsistent with normal helpdesk activity—all of which are signs of an insider attack.
- Scope the impact of a compromised admin account: When a suspicious forced reset is confirmed, use the report to identify every user whose credentials the actor modified. This defines the boundary of the incident and tells you which accounts need immediate review and recovery.
- Plan your attack recovery: Use the actor's identity and timestamps to pull other Entra ID admin activity conducted—role assignments, group changes, mailbox rules, app permissions—and systematically work on reverting each unauthorized action.
- Support compliance reviews and regulatory audits: Produce a dated, exportable record of all admin-initiated password change activity to demonstrate adherence to compliance standards.
What does the Forced Password Changed Users report show?
Using M365 Manager Plus, you can generate the Forced Password Changed Users report with the following fields:
- Microsoft 365 Tenant: Select the specific tenant where you want to track admin-initiated password change activity.
- Virtual Tenants: If you have created Virtual Tenants to manage specific subsets of your organization, you can filter the report to show only users in that virtual tenant.
- Filter By: Choose to view users from specific domains or belonging to particular groups.
- Business Hours: Toggle between All Hours, Business Hours, or Non-Business Hours to isolate forced password resets that occurred outside standard shifts—a critical filter when investigating after-hours attacker activity.
- Period: Set a custom date range (e.g., the last seven days or a specific date and time), showing only users whose passwords were forcibly changed within the selected window.
The Forced Password Changed Users report displays the following details for every user.
| Attribute | Description |
|---|---|
| Display Name | The full name of the user whose password was forcibly changed by an admin. |
| User Principal Name | The unique login identifier for the affected user (e.g., user@domain.com). |
| Password Reset By | The UPN or identity of the admin or service principal that initiated the forced password change. |
| Last Password Change Date | The exact date and timestamp when the password was last forcibly changed or reset in the Microsoft 365 tenant. |
| Days Since Last Password Change | The total number of days elapsed since the admin-initiated password change, useful for identifying recently locked-out accounts. |
| Password Never Expires | A true or false indicator showing whether the user account is exempt from password expiration policies. |
Here are some more Entra ID user attributes that the Forced Password Changed Users report lists.
| Alternate Email Address | First Name | Company | Street Address | Object ID | License Name |
| Last Name | Mobile Phone | Department | City | GUID | License Details |
| Initials | Business Phone | Title | State | Immutable Id | Services |
| Employee ID | Home Phone | Office | Postal Code | Blocked Credential | DirSync Provisioning Error |
| Employee Hire Date | Other Home Phone | Manager | Country / Region | Strong Password Required | Last Directory Sync Time |
| Employee Type | Other Telephone | Direct Reports | Usage Location | User Account Property | Recipient Type |
| Fax | Recipient Type Details |
Native Microsoft 365 admin portals vs. PowerShell vs. M365 Manager Plus
Tracking admin-initiated password resets in Microsoft 365 is possible through native tools such as the Microsoft 365 admin center, the Entra admin center, Microsoft Purview, and Graph PowerShell. However, isolating forced resets from self-service changes and identifying who performed each reset requires significant manual effort and time which can be spent on handling the threat itself.
In Entra ID, admins can configure the Activity filter within Audit Logs to search Admin started password reset or use the Audit Log Search feature in Microsoft Purview. For admins who need this data generated on a periodic schedule, neither portal offers this out of the box. Scripting through Microsoft Graph PowerShell with the Search-UnifiedAuditLog cmdlet remains the only native way to enable report scheduling, but this requires expertise, manual scheduling, and additional work to correlate actor and target attributes into a usable format.
With M365 Manager Plus, your Forced Password Changed Users report delivers a dedicated, pre-filtered view that shows both the affected user and the admin who performed the reset in every row, giving your security team the correlation they need without writing a single line of script.
| Capability | Microsoft 365 limitations | PowerShell limitations | The M365 Manager Plus advantage |
|---|---|---|---|
| Report accessibility | 
Audit logs contain a multitude of events that you filter every time. |
Manual filtering is required before you even generate the report. |
Individual user-friendly reports segregated and categorized for one-click access. |
| Custom reports | |
|
Created by saving granular attribute-based conditional filters once per custom report. |
| Report exports | CSV or JSON formats. Bulk exports require multiple stages of confirmation. | CSV or JSON formats. Requires additional modules to export as PDF or XLSX. | CSV, HTML, PDF, and XLSX, in a single click. |
| Email reports to admins | |
|
Email reports right from the dashboard or report page in any supported formats without jumping between applications. |
| Automated report generation |
Requires complex add-ons like Power Automate. |
Requires complex Task Scheduler configurations. |
Schedule multiple reports that generate between periods and are filtered, mailed, and exported automatically. |
For a more detailed comparison, check out this page on how to audit Microsoft 365 admin activity with M365 Manager Plus.
Features that enhance the Forced Password Changed Users report
M365 Manager Plus provides several built-in tools to help you investigate, automate, and act on the data found in the Forced Password Changed Users report:
- Export reports: Download the report in multiple formats, including CSV, PDF, HTML, or XLSX, for sharing data with your security team, incident response stakeholders, or compliance reviewers.
- Automated report generation: Set the Forced Password Changed Users report to run at defined intervals—daily, weekly, or monthly—so that admin-initiated credential changes are always under continuous review without manual effort.
- Revoke Microsoft 365 access: If a Microsoft 365 admin is found to change password anomalously, you can revoke their refresh token, reset their password, and disable them so the attack is contained.
- Microsoft 365 alerts for anomalous password resets: Configure real-time alerts to notify your security team when the volume of admin-initiated password resets exceeds a defined threshold within a short window—for example, more than five forced resets in 10 minutes—which is a strong indicator of an account takeover in progress.
Reports that complement the Forced Password Changed Users report
To strengthen your investigation and recovery workflow after detecting suspicious forced resets, use the following reports along with the Forced Password Changed Users report:
- Password Changed Users report: Provides a complete view of all Microsoft 365 password changes, both self-service and admin-initiated.
- Microsoft 365 admin activity reports: Once you have identified the actor behind the forced password changes, use M365 Manager Plus' admin activity reports to pull the full scope of that account's actions—role changes, group membership modifications, mailbox rule additions, and app consent grants—giving you everything you need to systematically revert unauthorized changes.
- MFA registration details report: After a forced password reset, this report checks whether the affected users' MFA methods were also modified. An attacker who forces a password change may also register a new MFA device to block the user from initiating self-service resets, enabling the attacker to have a backdoor to infiltrating again.
- Microsoft 365 user login reports: Audits sign-in attempts on affected accounts following a forced reset to verify whether the attacker used the changed credentials to authenticate and confirms if restored access has been successfully claimed by the legitimate user.
Other features of M365 Manager Plus
Microsoft Entra ID management: Create, modify, and delete users, groups, licenses in bulk without Graph PowerShell and simplify your Microsoft 365 identity management.
Microsoft 365 reporting: 700+ prebuilt and custom reports across major Microsoft 365 services such as Exchange Online, SharePoint Online, Teams, OneDrive for Business, and more, all from one dashboard.
Microsoft 365 management: Manage users, groups, mailboxes, Teams, SharePoint permissions, and license assignments across workloads without switching portals.
Microsoft 365 automation: Automate onboarding, offboarding, license provisioning, and group updates with no-code workflows—not add-on subscriptions.
Microsoft 365 auditing: Maintain a complete, searchable audit trail of every change across your Microsoft 365 environment.
Microsoft 365 alerting: Get real-time alerts on suspicious sign-ins, admin role changes, license breaches, and policy violations.
Microsoft 365 admin delegation: Give help desk staff scoped access to specific tasks such as password resets, group changes, mailbox management, without full admin rights or visibility over the users they don't manage.