Table of Contents
In some cases, you want to force a password change on a Microsoft 365 users without having to reset their user password first. In the scenario, the Microsoft 365 administrator has modified the default password policy in Microsoft 365. However, without a password change, users do not yet have passwords that conform to the new policy.
Here are some examples of how to use PowerShell commands or the Microsoft Graph API to force a password change for a user.
Using the Microsoft Graph PowerShell SDK
1. Install the required Microsoft Graph PowerShell SDK module by opening PowerShell as administrator then run the following command:
Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser2. Modifying the user’s password profile requires a certain level of permissions to be granted to the Microsoft Graph Command Line Tools application. So, in this case, we need to connect to Graph PowerShell with the following scopes:
Connect-MgGraph -Scopes User.ReadWrite.All,Directory.AccessAsUser.All3. To force a single user to change their password, you can use the Update-MgUser cmdlet with the -PasswordProfile parameter. For example:
$PasswordProfile = @{
ForceChangePasswordNextSignIn = $true
}
Update-MgUser -userid [email protected] -PasswordProfile $PasswordProfileAs you can see in the below screenshot, the user need to update her account password in the
Sometimes, or for compliance, a critical incident may require all users to change their passwords as soon as possible. To force all users to change their passwords via PowerShell, you will first need to store your users into an array, then loop through each user to apply the new password profile.
$users = Get-MgUser -All
$PasswordProfile = @{
ForceChangePasswordNextSignIn = $true
}
Foreach ($user in $users) {
Update-MgUser -UserId $user -PasswordProfile $PasswordProfile
}In most cases, you should not run the above script against all users in your tenant. You would be better off applying the password profile to a group of users from a CSV file, excluding your admirative accounts.
The below script pulls the list of users from a CSV file. Then loop through each user to apply the new password profile.
$passwordProfile = @{
ForceChangePasswordNextSignIn = $true
}
$users = Import-Csv "D:\scripts\users.csv"
$users | ForEach-Object {
Write-Host "Updating $($_.UserPrincipalName)..." -ForegroundColor Yellow
Update-MgUser -UserId $_.UserPrincipalName -PasswordProfile $passwordProfile
}
Using the Microsoft Graph Explorer
If you don’t want to install any Microsoft Graph PowerShell module. You can use Microsoft Graph Explorer to quickly force a user to change his account password on the next login.
1. Visit Microsoft Graph Explorer at https://aks.ms/ge.
2. Consent the required permission to the Graph Explorer app to update the user information.
3. Enter the request body as follows, change the method to PATCH, change the endpoint URL to fit with yours, and then click on Run query button.
{"passwordProfile":{"forceChangePasswordNextSignIn":true}}4. If has no error, you will see the blank output with status code 204. output
Using the Microsoft Graph API
If you want to force a user to change their password on the next login using the Microsoft Graph API, you can follow these general steps:
Get Access Token: Obtain an access token with the necessary permissions. Your app should have the User.ReadWrite.All or similar permission to update user information.
Update User’s Password Profile: Use the access token to make a PATCH request to the Microsoft Graph API endpoint to update the user’s password profile. You will need to set the forceChangePasswordNextSignIn property to true.
Make sure to replace the variables with your actual values. Here’s an example using PowerShell with the Microsoft Graph API:
# Define variables
$clientId = "xxxxxxxxxxxxx-cd58-4e4d-95ac-17081063c20b"
$clientSecret = "vUm8Q~xxxxxxxxxxxxx.pRiyMuQIJ0RCfBaSa"
$tenantId = "c032627b-6715-4e39-9990-xxxxxxxxxx"
$username = "[email protected]"
# Get OAuth token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
client_secret = $clientSecret
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/.default"
}
$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
# Extract access token
$accessToken = $response.access_token
# Set user's password to expire immediately
$userEndpoint = "https://graph.microsoft.com/v1.0/users/$username"
$body = @{
passwordProfile = @{
forceChangePasswordNextSignIn = $true
}
} | ConvertTo-Json
# Update user's password profile
$params = @{
Method = "Patch"
Uri = $userEndpoint
Headers = @{Authorization = "Bearer $accessToken"}
Body = $body
ContentType = "application/json"
}
Invoke-RestMethod @paramsConclusion
Forcing password changes without updating the existing password in Microsoft 365 could be done using Graph PowerShell SDK, Graph Explorer, or Graph API.
Not a reader? Watch this related video tutorial:
