Share via

Powershell to reset AAD user password

Eaven HUANG 2,166 Reputation points
2023-05-10T06:00:53.75+00:00

Dear Experts,

Recently, I’m trying to use PowerShell to reset new users' password online.

The expected scenario is that the user will be given a one-time password, then login to office.com set up his MFA, and then he’s asked to change a new password.

 

The step that goes wrong is when the user tries to update his password, it always said “Try again—that's not your current password.” But that’s the password when he set up his MFA in the first place.

This symptom occurs when I’m using PowerShell, if I reset the user’s password via the AAD portal, it seems fine.

 

Any idea? We are using hybrid method by synchronizing our AD objects to the cloud and enabled both Password writeback and SSPR.

I’m attaching my current .ps1 below for your information.

# Import user information from CSV file
$userList = Import-Csv 'D:\OneDrive - GTIIT\IT Dept\PowerShell\Scripts\Case_Study\New_Employee_Action\Academic Member\Academic_Creation\Academic_20230510.csv'

# Loop through each user and set license and password
foreach ($user in $userList) {
    $userPrincipalName = $user.Email
    $NewPassword = $user.NewPassword
    
    # Reset Password
    $NewPassword | ConvertTo-SecureString -AsPlainText -Force
    Set-MsolUserPassword -UserPrincipalName $userPrincipalName -NewPassword $NewPassword -ForceChangePassword $true
    # Set-MsolUserPassword -UserPrincipalName $userPrincipalName -NewPassword $NewPassword -ForceChangePassword $true
    #Set-AzureADUserPassword -ObjectId (Get-AzureADUser -SearchString $userPrincipalName).ObjectId -Password $NewPassword
}
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,620 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,546 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,062 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prrudram-MSFT 24,916 Reputation points
    2023-05-10T06:17:22.73+00:00

    Hello @Eaven HUANG

    Thank you for reaching out to the Microsoft Q&A platform.

    It sounds like the issue may be related to the fact that you are using Password Writeback and SSPR in a hybrid environment. When you reset a user's password using PowerShell, the password is updated in Azure AD, but it may take some time for the password to be synchronized back to your on-premises Active Directory. This delay could cause the user to receive an error message when they try to change their password, as the password they are entering may not yet be recognized by your on-premises AD.

    To avoid this issue, you can try the following steps:

    1. Wait for a few minutes after resetting the user's password in Azure AD to allow time for the password to be synchronized back to your on-premises AD.
    2. Instruct the user to log out of all devices and wait for a few minutes before attempting to change their password.
    3. If the issue persists, you can try disabling Password Writeback and SSPR temporarily to see if that resolves the issue. If the user can change their password successfully after disabling these features, you may need to investigate further to determine the root cause of the issue.

    Here is an updated version of your PowerShell script that includes a delay after resetting the user's password to allow time for the password to be synchronized back to your on-premises AD:

    # Import user information from CSV file
$userList = Import-Csv 'D:\OneDrive - GTIIT\IT Dept\PowerShell\Scripts\Case_Study\New_Employee_Action\Academic Member\Academic_Creation\Academic_20230510.csv'

# Loop through each user and set license and password
foreach ($user in $userList) {
    $userPrincipalName = $user.Email
    $NewPassword = $user.NewPassword
    
    # Reset Password
    $NewPassword | ConvertTo-SecureString -AsPlainText -Force
    Set-MsolUserPassword -UserPrincipalName $userPrincipalName -NewPassword $NewPassword -ForceChangePassword $true
    
    # Wait for password synchronization
    Start-Sleep -Seconds 60
    
    # Set-MsolUserPassword -UserPrincipalName $userPrincipalName -NewPassword $NewPassword -ForceChangePassword $true
    #Set-AzureADUserPassword -ObjectId (Get-AzureADUser -SearchString $userPrincipal

    If this does answer your question, please accept it as the answer as a token of appreciation.

    0 comments
  2. Eaven HUANG 2,166 Reputation points
    2024-07-16T07:06:05.8466667+00:00

    After one year and seems there is still no solution to use PowerShell to reset users' password and write back to the on-prem AD, any idea to overcome this?

    We can use EntraID webpage to manually reset the password and it works like a charm, but we can't repeat this for thousands of new users, can we:(

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.