Microsoft 365: How to force users to change their password

Last updated: Nov 24, 2024

Here we'll look at how to force users to change their Microsoft 365 passwords with PowerShell.

First, I'll describe how to do it step by step from a PowerShell command line for a single account. Finally, I'll show a small script to do it for several accounts that are stored in a text file.

Prerequisites

We'll need the Microsoft.Graph module to connect to Microsoft 365 using PowerShell.

Open a PowerShell prompt with administrator rights:

Context menu showing the option to run PowerShell as administrator on Windows.

Set Tls to version 1.2 for the current session context:

PS C:\> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install the Microsoft.Graph module:

PS C:\> Install-Module -name Microsoft.Graph

Connect to Microsoft 365

Use Connect-MgGraph to open the Microsoft Microsoft 365 sign in window:

PS C:\> Connect-MgGraph

Sign in with an adminstrator account:

Microsoft sign-in screen showing an email field pre-filled with an administrator account.

Enter password:

Microsoft sign-in screen prompting the user to enter the password for the administrator account.

Reset user password

Force a new password

Use this command to set a password for a user:
- ForceChangePasswordNextSignIn: indicates whether the user must change the password the next time he signs in

PS C:\> Update-MgUser -UserId user@shebangthedolphins.net -PasswordProfile @{ Password = "NewPassw0rd"; ForceChangePasswordNextSignIn=$false; ForceChangePasswordNextSignInWithMfa=$false }

Force the user to change his password the next time he logs in

After this command, the password update procedure will run the next time the user logs in (it will be slower to apply with Outlook clients because it uses a caching mechanism):
- ForceChangePasswordNextSignIn=$true: the user must change their password on the next sign-in
- forceChangePasswordNextSignInWithMfa=$false: the user doesn't need to perform a multifactor authentication (MFA) before being forced to change their password.

PS C:\> Update-MgUser -UserId user@shebangthedolphins.net -PasswordProfile @{ ForceChangePasswordNextSignIn=$true; ForceChangePasswordNextSignInWithMfa=$false }

Misc

If you want to search for a user:

PS C:\> Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"DisplayName:cartman"'

PowerShell command Get-MgUser displaying search results for a specific user

PowerShell Script to force users to change their password

If we want to force a large number of users to change their passwords, we can use a PowerShell script.

Create a C:\users.txt containing a list of the e-mail addresses of the users for whom we wish to force a password change:

Notepad showing a list of user email addresses from the domain shebangthedolphins.net

Run this PowerShell script to force users to change their password:

###########################
# author : shebangthedolphins.net
# version : 1.1
# date : 2024.11
# role : force a list of users stored in a text file to change their Microsoft 365 password
# other : create a C:\users.txt file in which to place users
# updates :
#       - 1.0 (2021/03) : First Version
#       - 1.1 (2024/11) : Replace obsolete MsolService with Microsoft.Graph
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Connect-MgGraph
$file = "C:\users.txt"

ForEach ($line in (Get-Content -Path $file)) {
    Write-Host "Working on $line.Replace(' ','')"
    #Set-MsolUserPassword -UserPrincipalName $line.Replace(' ','') -ForceChangePasswordOnly $true -ForceChangePassword $true
    Update-MgUser -UserId $line.Replace(' ','') -PasswordProfile @{ ForceChangePasswordNextSignIn=$true; ForceChangePasswordNextSignInWithMfa=$false }
}

Computing

Music

Misc

Microsoft 365: How to force users to change their password

Prerequisites

Connect to Microsoft 365

Reset user password

Force a new password

Force the user to change his password the next time he logs in

Misc

PowerShell Script to force users to change their password