rss logo

Microsoft 365: How to force users to change their password

Microsoft 365 Logo

Here we'll look at how to force users to change their Microsoft 365 passwords with PowerShell.

First, I'll describe how to do it step by step from a PowerShell command line for a single account. Finally, I'll show a small script to do it for several accounts that are stored in a text file.

Prerequisites

We'll need the Microsoft.Graph module to connect to Microsoft 365 using PowerShell.

  • Open a PowerShell prompt with administrator rights:
Context menu showing the option to run PowerShell as administrator on Windows.
  • Set Tls to version 1.2 for the current session context:
PS C:\> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  • Install the Microsoft.Graph module:
PS C:\> Install-Module -name Microsoft.Graph

Connect to Microsoft 365

  • Use Connect-MgGraph to open the Microsoft Microsoft 365 sign in window:
PS C:\> Connect-MgGraph
  • Sign in with an adminstrator account:
Microsoft sign-in screen showing an email field pre-filled with an administrator account.
  • Enter password:
Microsoft sign-in screen prompting the user to enter the password for the administrator account.

Reset user password

Force a new password

  • Use this command to set a password for a user:
    • ForceChangePasswordNextSignIn: indicates whether the user must change the password the next time he signs in
PS C:\> Update-MgUser -UserId user@shebangthedolphins.net -PasswordProfile @{ Password = "NewPassw0rd"; ForceChangePasswordNextSignIn=$false; ForceChangePasswordNextSignInWithMfa=$false }

Force the user to change his password the next time he logs in

  • After this command, the password update procedure will run the next time the user logs in (it will be slower to apply with Outlook clients because it uses a caching mechanism):
    • ForceChangePasswordNextSignIn=$true: the user must change their password on the next sign-in
    • forceChangePasswordNextSignInWithMfa=$false: the user doesn't need to perform a multifactor authentication (MFA) before being forced to change their password.
PS C:\> Update-MgUser -UserId user@shebangthedolphins.net -PasswordProfile @{ ForceChangePasswordNextSignIn=$true; ForceChangePasswordNextSignInWithMfa=$false }

Misc

  • If you want to search for a user:
PS C:\> Get-MgUser -ConsistencyLevel eventual -Count userCount -Search '"DisplayName:cartman"' PowerShell command Get-MgUser displaying search results for a specific user

PowerShell Script to force users to change their password

If we want to force a large number of users to change their passwords, we can use a PowerShell script.

  • Create a C:\users.txt containing a list of the e-mail addresses of the users for whom we wish to force a password change:
Notepad showing a list of user email addresses from the domain shebangthedolphins.net
  • Run this PowerShell script to force users to change their password:
########################### # author : shebangthedolphins.net # version : 1.1 # date : 2024.11 # role : force a list of users stored in a text file to change their Microsoft 365 password # other : create a C:\users.txt file in which to place users # updates : # - 1.0 (2021/03) : First Version # - 1.1 (2024/11) : Replace obsolete MsolService with Microsoft.Graph [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Connect-MgGraph $file = "C:\users.txt" ForEach ($line in (Get-Content -Path $file)) { Write-Host "Working on $line.Replace(' ','')" #Set-MsolUserPassword -UserPrincipalName $line.Replace(' ','') -ForceChangePasswordOnly $true -ForceChangePassword $true Update-MgUser -UserId $line.Replace(' ','') -PasswordProfile @{ ForceChangePasswordNextSignIn=$true; ForceChangePasswordNextSignInWithMfa=$false } }