Related features:

Related Powershell Guides:

Microsoft Entra ID password cmdlet: Set-MsolUserPassword

This cmdlet allows admins to set or reset the password of a user in Microsoft Entra ID. It is used in several situations—when a user forgets their password and needs help regaining access, when there's a suspicion that an account has been compromised and needs immediate securing, or when an organization enforces periodic password changes (such as every 90 days) as part of its security policy, among others.

Unlike in traditional AD environments where passwords are stored and protected with NT hashes, cloud-only environments like Microsoft Entra ID manage authentication through more modern methods. However, password hygiene remains essential, as user credentials are still a key target for attackers.

When an admin resets a user's password using the Set-MsolUserPassword cmdlet, they can also force the user to change it at their next login, helping to maintain security continuity after a manual reset.

Note: The Set-MsolUserPassword cmdlet is part of the MSOnline module, which is deprecated by Microsoft. Microsoft now recommends using Microsoft Graph PowerShell for managing user accounts and passwords in Microsoft Entra ID.

Prerequisites

Before resetting a password with Microsoft Graph, ensure:

  • Microsoft Graph PowerShell SDK is installed.
    Install-Module Microsoft.Graph -Scope CurrentUser
  • You have the Password Administrator role.
  • You are connected to Microsoft Graph.
    Connect-MgGraph -Scopes "User.ReadWrite.All"

This command requires the User.ReadWrite.All permission (admin consent required).

Resetting a user's password with Microsoft Graph

Resetting a user's password

Update-MgUser -UserId user@domain.com -PasswordProfile @{Password = "NewStrongPassword!23"}

Syntax breakdown

Cmdlet component Description
Update-MgUser Microsoft Graph cmdlet for updating user account properties.
-UserId "user@domain.com" Specifies the user to update. This can be the User Principal Name (UPN) or object ID. In this case, user@domain is the user whose password is being updated.
-PasswordProfile A parameter group for setting password-related values.
Password = "NewStrongPassword!23" Sets the new password for the user. Must meet your organization's password complexity policy. In this case, NewStrongPassword!23 is the new password.

Note: Unlike with the MSOnline module, Microsoft Graph does not help you generate random passwords.

Reset a user's password and force a password change at the next sign-in

Update-MgUser -UserId "user@domain.com" -PasswordProfile @{Password = "NewStrongPassword!23"; ForceChangePasswordNextSignIn = $true}

Syntax breakdown

Cmdlet component Description
Update-MgUser Microsoft Graph cmdlet for updating user account properties.
-UserId "user@domain.com" Specifies the user to update. This can be the UPN or object ID. In this case, user@domain is the user whose password is being updated.
-PasswordProfile A parameter group for setting password-related values.
Password = "NewStrongPassword!23" Sets the new password for the user. Must meet your organization's password complexity policy. In this case, NewStrongPassword!23 is the new password.
ForceChangePasswordNextSignIn = $true Ensures the user is prompted to change their password on the next login. Recommended for security.

Bulk password reset for multiple users

$users = @("user1@domain.com", "user2@domain.com", "user3@domain.com")
foreach ($user in $users) {
Update-MgUser -UserId $user -PasswordProfile @{
Password = "SecureTemp!789"
}
}

Syntax breakdown

Cmdlet component Description
$users = @(...) Array of UPNs or object IDs for which the password will be reset.
foreach ($user in $users) Loops through each user.
Update-MgUser Microsoft Graph cmdlet for updating user account properties.
-UserId $user Specifies the current user in the loop. This can be the UPN or object ID.
-PasswordProfile @{...} A parameter group for setting password-related values.
Password = "SecureTemp!789" Sets the new password for the user. Must meet your organization's password complexity policy. In this case, SecureTemp!789 is the new password.

Bulk password reset for multiple users with a forced password change at the next sign-in

$users = @("user1@domain.com", "user2@domain.com", "user3@domain.com")
foreach ($user in $users) {
Update-MgUser -UserId $user -PasswordProfile @{
Password = "SecureTemp!789"
ForceChangePasswordNextSignIn = $true
}
}

Syntax breakdown

Cmdlet component Description
$users = @(...) Array of UPNs or object IDs for which the password will be reset.
foreach ($user in $users) Loops through each user.
Update-MgUser Microsoft Graph cmdlet for updating user account properties.
-UserId $user Specifies the current user in the loop. This can be the UPN or object ID.
-PasswordProfile @{...} A parameter group for setting password-related values.
Password = "SecureTemp!789" Sets the new password for the user. Must meet your organization's password complexity policy. In this case, SecureTemp!789 is the new password.
ForceChangePasswordNextSignIn = $true Ensures the users are prompted to change their password on the next login. Recommended for security.

Troubleshooting common errors

  • No response after running the command: The command doesn't show a success message by default. Run Get-MgUser to check if the update worked. You can also add a Write-Host message if you're using a script.
  • Invalid authentication token: Your session may have expired or you're not signed in. Run Connect-MgGraph again to log in.
  • User not found: The user ID you gave might be wrong or doesn’t exist. Verify the email or object ID.
  • Password does not comply with policy: The password you entered is too weak or doesn’t follow your organization’s rules. Use a strong password with uppercase letters, lowercase letters, numbers, and symbols.
  • Access denied error: You might not have the right permissions. Make sure you're a Password Administrator.

Go beyond the native controls with ADSelfService Plus

Although Microsoft Graph PowerShell is powerful, it's still limited in some areas:

ADSelfService Plus brings enterprise-grade password security to Microsoft Entra ID

  • Password self-service

    Unburden users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.

  • Multi-factor authentication

    Enable context-based multi-factor authentication (MFA) with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.

  • One identity with single sign-on

    Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications including Microsoft 365 using their Windows AD credentials.

  • Password synchronization

    Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365.

  • Custom password policy enforcer

    Prevent users from setting weak and breached passwords for their accounts through an advanced password policy that bans dictionary words, keyboard sequences, and compromised passwords through its integration with Have I Been Pwned?

  • Password and account expiry notifications

    Notify users of their impending password and account expiry via email and SMS notification.

Fortify your Microsoft Entra ID password security with ADSelfService Plus today

Get your free trial
 
  • Finding the manager of a user in Microsoft Entra ID
  • Prerequisites
  • Resetting a user's password with Microsoft Graph
  • Troubleshooting common errors
  • Go beyond the native controls with ADSelfService Plus
  • ADSelfService Plus brings enterprise-grade password security to Microsoft Entra ID

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link