How to Force M365 Users to Change Their Password without Updating Existing Password in Microsoft 365
This article explores scenarios for forcing password changes without updating the existing password in Microsoft 365 considering a single user as well as for multiple users. The Graph PowerShell SDK, and the Graph API are used in the examples for explaining the methodologies.
In some cases, you may need a Microsoft 365 user to change their password without resetting it first. This situation can occur when a Microsoft 365 administrator updates the default password policy, where the user’s passwords haven't been updated to meet the new requirements.
In the below example you can see how to use the Microsoft Graph API to force any M365 users to change their password.
Step-1:
1. First we need to install the Microsoft Graph PowerShell SDK module, for which we need to open PowerShell with administrative privileges and paste the following command:
Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser
Step-2:
2. To modify the user's password profile, specific permissions must be granted to the Microsoft Graph Command Line Tools application. In this case, it's necessary to connect the Graph PowerShell with the following scopes.
Connect-MgGraph -Scopes User.ReadWrite.All,Directory.AccessAsUser.All
Step-3:
a.Situation 1: (For a single user)
3. For a single M365 user to force change their password, you can use the below cmdlet with the -PasswordProfile parameter. For example:
$PasswordProfile = @{
ForceChangePasswordNextSignIn = $true
}
Update-MgUser -userid samm@serviceitindia.onmicrosoft.com -PasswordProfile $PasswordProfile
As you can see in the below screenshot, user needs to update the M365 account password
b. Situation 2: (For multiple users)
In this situation, such as for compliance or in response to a critical incident, it may be necessary for all users to update their passwords immediately. To enforce a password change for all users using PowerShell, first you should gather the users into an array and then loop through each user to implement the new password settings.
$users = Get-MgUser -All
$PasswordProfile = @{
ForceChangePasswordNextSignIn = $true
}
Foreach ($user in $users) {
Update-MgUser -UserId $user -PasswordProfile $PasswordProfile
}
Generally, it's advisable not to run the above script on all users in your tenant. Instead, it would be more effective to apply the password profile to a selected group of users from a CSV file, ensuring that your administrative accounts are excluded
The below PowerShell script pulls the list of users from a CSV file, then loops through each user to apply the new password profile.
$passwordProfile = @{
ForceChangePasswordNextSignIn = $true
}
$users = Import-Csv "D:\passwordchange.csv"
$users | ForEach-Object {
Write-Host "Updating $($_.UserPrincipalName)..." -ForegroundColor Yellow
Update-MgUser -UserId $_.UserPrincipalName -PasswordProfile $passwordProfile
}
