Generate User Password Self-Service Reset (SSPR) Report Using Graph PowerShell
Self-Service Password Reset (SSPR) allows users to reset their passwords without IT intervention, improving productivity while maintaining security. As an administrator, it's essential to monitor SSPR activity to ensure it's being used effectively and securely.
In this article, we walk through a Graph PowerShell script that retrieves all self-service password reset events and provides a detailed report, including reset time, user account, and status (success or failure).
Script – Fetch Password Reset (Self-Service) Events
# Connect to Microsoft Graph with appropriate permission
Connect-MgGraph -Scopes "AuditLog.Read.All"
# Retrieve directory audit logs for self-service password resets
$SSPRLogs = Get-MgAuditLogDirectoryAudit -Filter "category eq 'UserManagement' and activityDisplayName eq 'Reset password (self-service)'" -All
# Display relevant headers in PowerShell console
$SSPRLogs | Select-Object `
@{Name = "Reset Time"; Expression = { $_.ActivityDateTime }},
@{Name = "Reset User Account"; Expression = { $_.TargetResources[0].UserPrincipalName }},
@{Name = "Result Status"; Expression = {
if ($_.Result -eq "success") { "Success" }
else { "Failure" }
}} |
Format-Table -AutoSize
How the Script Works
- Authentication: The script initiates a connection to Microsoft Graph using Connect-MgGraph and requests the AuditLog.Read.All permission scope.
- Querying Audit Logs: The script runs Get-MgAuditLogDirectoryAudit to access directory audit logs, applying a filter:
- category eq 'UserManagement' to target user-related actions.
- activityDisplayName eq 'Reset password (self-service') to pinpoint only self-service reset events.
- Data Extraction: The script extracts:
- ActivityDateTime: The timestamp when the password was reset.
- TargetResources[0].UserPrincipalName: The UPN of the account that was reset.
- Result: The outcome of the reset, interpreted as “Success” or “Failure”.
- Output Formatting: The results are rendered in a clean table with three meaningful headers.
Further Enhancements
Here are some ways to make the script more powerful and tailored:
Filter for a Specific Time Window
To only see events from the past 30 days:
$Since = (Get-Date).AddDays(-30)
$RecentSSPRLogs = $SSPRLogs | Where-Object { $_.ActivityDateTime -ge $Since }
Export to CSV
Useful for sharing reports or compliance records:
$SSPRLogs | Select-Object ... | Export-Csv -Path ".\SSPR_Report.csv" -NoTypeInformationGroup by Success vs. Failure
To analyze success rates:
$SSPRLogs | Group-Object Result | Select Name, CountPossible Errors & Solutions
| Error | Cause | Solution |
| Connect-MgGraph is not recognized | Microsoft Graph module not installed | Run Install-Module Microsoft.Graph -Scope CurrentUser |
| Insufficient privileges to call this API | Missing or unconsented Graph permissions | Ensure AuditLog.Read.All is granted and admin consent is given |
| TargetResources[0] is null | Some events may not include UPN data | Add null checks or skip such entries with Where-Object filters |
Use Cases
- Security Auditing: Track who is using SSPR and whether attempts are succeeding or failing.
- User Behavior Insights: Identify patterns in self-service adoption and usage.
- Compliance Reporting: Maintain logs for internal or external audit purposes.
- IT Support Monitoring: Proactively support users with repeated failed reset attempts.
Conclusion
This Graph PowerShell script is a straightforward yet effective way to monitor password reset (self-service) events in your Microsoft 365 tenant. It helps administrators stay informed about user-initiated password resets and adds another layer to your organization’s auditing and security posture. With minor tweaks, it can be adapted for scheduled reporting or dashboard integration.