m365Corner
Home / M365 Blogs / How to Reset a User Password in Microsoft Entra
M365 Blogs

How to Reset a User Password in Microsoft Entra

Resetting user passwords is one of the most common administrative tasks in Microsoft Entra ID (formerly Azure Active Directory). Whether a user forgets their password, gets locked out of their account, or experiences suspicious sign-in activity, administrators must quickly and securely reset credentials to restore access.

Microsoft Entra provides multiple ways to reset passwords, including the Entra admin center and Microsoft Graph PowerShell. While the Entra portal is suitable for occasional password resets, Graph PowerShell enables bulk password management, automation, and integration with enterprise workflows.

In this guide, you’ll learn how to:

  • Reset user passwords in Microsoft Entra admin center
  • Reset passwords using Graph PowerShell
  • Force users to change passwords at next sign-in
  • Bulk reset passwords for multiple users
  • Reset passwords for hybrid synced users
  • Troubleshoot common password reset errors
  • Audit password reset activity

Required Roles to Reset User Passwords in Microsoft Entra

Before resetting passwords, administrators must have appropriate Microsoft Entra roles assigned.

Role Can Reset Passwords For
Helpdesk Administrator Non-admin users
Password Administrator Most users and limited admins
User Administrator Users, groups, and some admin accounts
Global Administrator All users and administrators
Privileged Authentication Administrator All users including privileged admins
Important: Lower privileged admins cannot reset passwords for Global Administrators or other high-privilege roles.

Reset User Password Using Microsoft Entra Admin Center

Follow these steps to reset a user password.

Steps Instruction
Step 1 Go to the Microsoft Entra Admin Center
https://entra.microsoft.com
Step 2 Navigate to:
Microsoft Entra ID → Users
Step 3 Select the user whose password needs to be reset
Step 4 Click Reset password (the user gets assigned a temporary password that must be changed on the next sign in). You can provide the temporary password to the user in a secure manner so that they can sign in.

Reset Password Using Microsoft Graph PowerShell

Microsoft Graph PowerShell provides a faster and more scalable way to manage password resets.

Connect to Microsoft Graph

Connect-MgGraph -Scopes User.ReadWrite.All

Reset a Single User Password 

$params = @{
    passwordProfile = @{
    forceChangePasswordNextSignIn = $true
        password = "Temp@12345"
    }
}

Update-MgUser -UserId "user@contoso.com" -BodyParameter $params

This command resets the user’s password and forces a change at next sign-in.

What This Script Does

  • Resets the user password
  • Forces password change at next sign-in
  • Updates the user account using Microsoft Graph

Bulk Reset Multiple User Passwords Using Graph PowerShell

For large environments, administrators often need to reset passwords in bulk.

CSV Format

UserPrincipalName
user1@contoso.com
user2@contoso.com
user3@contoso.com

Bulk Password Reset Script


$Users = Import-Csv "C:\Temp\Users.csv"

foreach ($User in $Users) {

    $params = @{
        passwordProfile = @{
        forceChangePasswordNextSignIn = $true
        password = "Temp@12345"
    }
}

Update-MgUser -UserId $User.UserPrincipalName -BodyParameter $params

Write-Host "Password reset for $($User.UserPrincipalName)"
}

Reset Passwords for Hybrid Synced Users

Organizations using hybrid identity environments should understand how password reset works for synced accounts.

If your users are synchronized from on-premises Active Directory using Microsoft Entra Connect:

  • Password resets may fail unless Password Writeback is enabled
  • Changes made in Entra ID must sync back to on-prem AD
  • Hybrid password management requires Entra Connect configuration

Enable Password Writeback

  1. Open Microsoft Entra Connect
  2. Select Customize synchronization options
  3. Enable: Password writeback
  4. Complete the configuration wizard

Without password writeback, cloud password resets for synced users may not work correctly.

Force Users to Change Password at Next Sign-In

Administrators often need users to create a new password after a reset.

This is controlled through:

forceChangePasswordNextSignIn = $true

Benefits include:

  • Improved security
  • Temporary password expiration
  • Reduced unauthorized access risk

Common Errors While Resetting User Passwords

Error Cause Solution
Insufficient privileges to complete the operation Missing admin role Assign Password Administrator or higher role
Password does not meet complexity requirements Weak password Use strong password with uppercase, lowercase, numbers, and symbols
Resource not found Incorrect UPN Verify UserPrincipalName
Unable to reset synced user password Password writeback disabled Enable Entra Connect password writeback
Access denied Missing Graph permissions Reconnect using User.ReadWrite.All scope

Security Best Practices for Password Resets

To improve security during password resets:

  • Always require password change at next sign-in
  • Enforce MFA for all administrator accounts
  • Use Conditional Access policies
  • Avoid sharing passwords through insecure channels
  • Monitor suspicious password reset activity
  • Use temporary passwords only
  • Enable Self-Service Password Reset (SSPR)

How to Audit Password Reset Activity

Password reset operations can be tracked using Microsoft Entra audit logs.

Administrators can monitor:

  • Who reset the password
  • When the reset occurred
  • Whether the reset was self-service or admin-initiated
  • IP address and sign-in activity

You can also automate audit log retrieval using Microsoft Graph PowerShell: Track Microsoft 365 User Password Self Service Actions

Entra Admin Center vs Graph PowerShell Password Reset

Feature Entra Admin Center Graph PowerShell
Single user reset Yes Yes
Bulk password reset Yes (but not usually preferred) Yes (suits automation)
Automation support Limited Excellent
Scheduled operations No Yes
CSV integration Yes Yes
Large-scale management Moderate Excellent

Real-World Admin Scenario

A helpdesk administrator receives multiple password reset requests after users fail MFA sign-ins while working remotely. Instead of manually resetting each account through the Entra portal, the administrator uses Graph PowerShell to bulk reset passwords, enforce password changes at next sign-in, and verify the activity through Entra audit logs.

This approach significantly reduces administrative effort while improving response time and security.

Frequently Asked Questions (FAQs)

  1. Can users reset their own passwords in Microsoft Entra?
    Yes. Organizations can enable Self-Service Password Reset (SSPR) so users can securely reset their passwords without administrator involvement.
  2. Can I reset passwords for multiple users at once?
    Yes. Microsoft Graph PowerShell supports bulk password resets using CSV input and automation scripts.
  3. What happens after resetting a password?
    The user receives a temporary password and can sign in again. If configured, they must create a new password during the next login.
  4. Can I reset passwords for synced users?
    Yes, but Password Writeback must be enabled in Microsoft Entra Connect for hybrid synchronized accounts.
  5. Which Graph PowerShell permission is required?
    The following permission is commonly required: User.ReadWrite.All

Conclusion

Password management remains a critical part of Microsoft Entra administration. While the Entra admin center provides a simple way to reset individual passwords, Microsoft Graph PowerShell offers greater flexibility, automation, and scalability for enterprise environments.

By combining secure password reset practices, bulk automation capabilities, audit logging, and hybrid identity support, administrators can improve operational efficiency while maintaining strong security controls across Microsoft 365 environments.