Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest)

Question

Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest)

JohnSebastian-3934 506

I am attempting to use the powershell cmdlet Set-EntraUserPassword to change the password for an account as part of an offboarding sequence.

The script takes a parameter of the e-mail for the account and can successfully get it from EntraID using

$user = Get-EntraUser | where { $_.UserPrincipalName -eq $em }

My code then performs things like disabling the account, querying all the groups the account belongs to and removing the group membership of this account and finally I want to change the password of the account to a random value.

I believe the password I am generating is valid based on this: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

My code to generate the password and attempt to set it is:

$length=12

$p = -join ((char[] + (char[]) + 0..9 ) | Get-Random -Count $length | % {[char]$_})

$pwd = ConvertTo-SecureString -String $p.ToString() -AsPlainText -Force

Set-EntraUserPassword -ObjectID $em -Password $pwd

When I ran this code it generated a random password of: #3iczO]d\A}y

The code however throws this error and I need to understand why the password is invalid:

Resetting password for account user to #3iczO]d\A}y

Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest)

ErrorCode: Request_BadRequest Date: 2024-10-15T17:57:40 Headers: Cache-Control : no-cache Vary :

Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : aa24798e-43d2-43be-894a-a6b8bdff939d

client-request-id : 51910791-c35d-4c5f-8b87-28518716e804 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West

US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF000483E7"}} x-ms-resource-unit : 1 Date :

Tue, 15 Oct 2024 17:57:40 GM

JohnSebastian-3934 506 Reputation points

2024-10-15T19:41:16.55+00:00
Actually, the random password generation code did not paste in correctly. It is

$p = -join (([char[]]([char]97..[char]126)) + ([char[]]([char]33..[char]95) + 0..9 ) | Get-Random -Count $length | % {[char]$_})

$pwd = ConvertTo-SecureString -String $p.ToString() -AsPlainText -Force

One other vital piece of information, when my script connects to the Entra ID using the Connect-Entra commandlet, I am using a managed identity. I don't see a way to actually specify the -scopes parameter when using a managed identity. It does not work for me.

This is how I am connecting to EntraID:

Connect-Entra -Identity -ClientId $managed_identity -NoWelcome

From the documentation on Connect-Entra cmdlet found here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.entra/connect-entra?view=entra-powershell, it does not look like -Scopes is an option when using -Identity and -ClientId.

I saw a post on Stack Overflow that says you need to have the scope of Directory.AccessAsUser.All in order to change a user account's password. If that is true, how can I adjust the Scope for this Managed Identity so that it has the correct Graph Scope?
Anonymous

2024-10-15T20:39:16.6466667+00:00

Hi @JohnSebastian-3934 , when you set the password, is it a new password each time? Or have you been testing with the same one #3iczO]d\A}y ?
Anonymous

2024-10-15T21:12:48.5833333+00:00
Hi @JohnSebastian-3934 , this issue has come up a few times with other SSPR users. Could you please try the following to see if it narrows down the issue?

Try with a new hard-coded password such as xWwvJ]6NMw+bWH-d or 0eM85N54wFxWwvJ]

Set MinPasswordAge to 0

Disable "password never expires" and "user cannot change password" fields in SSPR

I wouldn't worry about permissions yet, because the error is related to the complexity requirements.

References: https://www.reddit.com/r/AZURE/comments/xs0i9i/enabled_sspr_but_o365_login_not_accepting_any/

https://www.reddit.com/r/AZURE/comments/r10ojk/sspr_complexity_issues/

https://community.spiceworks.com/t/user-passwords-dont-meet-complexity-after-ad-password-policy-change/949028
JohnSebastian-3934 506 Reputation points

2024-10-16T18:10:35.7266667+00:00

This is Azure AD (Entra ID) only . Not a Hybrid environment. If I go to the Entra ID Administration Web Page and then under Protection and Authentication Methods followed followed by Password protection, I see no option for setting the MinPasswordAge nor the Password Expiration.

And under the Password Reset option, I also do not see any ability to do anything except turn it on or turn it off
Anonymous

2024-10-16T23:53:46.77+00:00

Hi @JohnSebastian-3934 , thanks for clarifying. Let me reach out to a couple of contacts. I'll get back to you ASAP
Anonymous

2024-10-17T22:03:19.88+00:00

Hi @JohnSebastian-3934 , there might be a PowerShell syntax issue around the password value.

Try adding -Debug to the end of your Set-EntraUsePassword cmd to inspect the raw graph request being made and ensure the passwordProfile contains the expected password. Please let me know your results.

Best,

James
JohnSebastian-3934 506 Reputation points

2024-10-21T22:21:47.4133333+00:00
Hi JAmes, I added the -Debug switch. This is the output

Set-EntraUserPassword -ObjectID $em -Password $pwd -Debug

DEBUG: ============================ TRANSFORMATIONS ============================

DEBUG: Debug : True

DEBUG: =========================================================================

DEBUG: [CmdletBeginProcessing]: - Update-MgUser begin processing with parameterSet 'UpdateExpanded'.

DEBUG: [Authentication]: - AuthType: 'ManagedIdentity', TokenCredentialType: 'ManagedIdentity', ContextScope: 'Process', AppName: 'AzurePortal Console App'.

DEBUG: [Authentication]: - Scopes: [AuditLog.Read.All, Directory.ReadWrite.All, email, Group.ReadWrite.All, IdentityProvider.ReadWrite.All, openid, profile, User.Invite.All].

Confirm

Are you sure you want to perform this action?

Performing the operation "Update-MgUser_UpdateExpanded" on target "Call remote 'PATCH /users/{user-id}' operation".

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:

PATCH

Absolute Uri:

https://graph.microsoft.com/v1.0/users/johntest%40nwm.doe.gov

Headers:

User-Agent : PowerShell/7.4.5,EntraPowershell/0.17.0,Set-EntraUserPassword

FeatureFlag : 00000043

Cache-Control : no-store, no-cache

Accept-Encoding : gzip

SdkVersion : graph-powershell/2.15.0

client-request-id : cc542caf-32ac-4aba-9e1a-83f8d552ce1

Body:

{

"passwordProfile": {

"password": "H"

}

}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:

BadRequest

Headers:

Cache-Control : no-cache

Vary : Accept-Encoding

Strict-Transport-Security : max-age=31536000

request-id : 440307d9-c9af-4340-a8f6-3312fdd74955

client-request-id : cc542caf-32ac-4aba-9e1a-83f8d552ce18

x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00028DCA"}}

x-ms-resource-unit : 1

Date : Mon, 21 Oct 2024 22:19:41 GM

Body:

{

"error": {

"code": "Request_BadRequest", "message": "The specified password does not comply with password complexity requirements. Please provide a different password.", "innerError": { "date": "2024-10-21T22:19:42", "request-id": "440307d9-c9af-4340-a8f6-3312fdd74955", "client-request-id": "cc542caf-32ac-4aba-9e1a-83f8d552ce18" }

}

}

Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date:

2024-10-21T22:19:42 Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000

request-id : 440307d9-c9af-4340-a8f6-3312fdd74955 client-request-id : cc542caf-32ac-4aba-9e1a-83f8d552ce18 x-ms-ags-diagnostic :

{"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00028DCA"}} x-ms-resource-unit : 1 Date

: Mon, 21 Oct 2024 22:19:41 GM

DEBUG: [CmdletEndProcessing]: - Update-MgUser end processing.

1 answer

Your answer

JohnSebastian-3934 506 Reputation points

2024-10-15T19:41:16.55+00:00

Actually, the random password generation code did not paste in correctly. It is

$p = -join (([char[]]([char]97..[char]126)) + ([char[]]([char]33..[char]95) + 0..9 ) | Get-Random -Count $length | % {[char]$_})

$pwd = ConvertTo-SecureString -String $p.ToString() -AsPlainText -Force

One other vital piece of information, when my script connects to the Entra ID using the Connect-Entra commandlet, I am using a managed identity. I don't see a way to actually specify the -scopes parameter when using a managed identity. It does not work for me.

This is how I am connecting to EntraID:

Connect-Entra -Identity -ClientId $managed_identity -NoWelcome

From the documentation on Connect-Entra cmdlet found here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.entra/connect-entra?view=entra-powershell, it does not look like -Scopes is an option when using -Identity and -ClientId.

I saw a post on Stack Overflow that says you need to have the scope of Directory.AccessAsUser.All in order to change a user account's password. If that is true, how can I adjust the Scope for this Managed Identity so that it has the correct Graph Scope?
Anonymous

2024-10-15T20:39:16.6466667+00:00

Hi @JohnSebastian-3934 , when you set the password, is it a new password each time? Or have you been testing with the same one #3iczO]d\A}y ?
Anonymous

2024-10-15T21:12:48.5833333+00:00

Hi @JohnSebastian-3934 , this issue has come up a few times with other SSPR users. Could you please try the following to see if it narrows down the issue?

Try with a new hard-coded password such as xWwvJ]6NMw+bWH-d or 0eM85N54wFxWwvJ]

Set MinPasswordAge to 0

Disable "password never expires" and "user cannot change password" fields in SSPR

I wouldn't worry about permissions yet, because the error is related to the complexity requirements.

References: https://www.reddit.com/r/AZURE/comments/xs0i9i/enabled_sspr_but_o365_login_not_accepting_any/

https://www.reddit.com/r/AZURE/comments/r10ojk/sspr_complexity_issues/

https://community.spiceworks.com/t/user-passwords-dont-meet-complexity-after-ad-password-policy-change/949028
JohnSebastian-3934 506 Reputation points

2024-10-16T18:10:35.7266667+00:00

This is Azure AD (Entra ID) only . Not a Hybrid environment. If I go to the Entra ID Administration Web Page and then under Protection and Authentication Methods followed followed by Password protection, I see no option for setting the MinPasswordAge nor the Password Expiration.

And under the Password Reset option, I also do not see any ability to do anything except turn it on or turn it off
Anonymous

2024-10-16T23:53:46.77+00:00

Hi @JohnSebastian-3934 , thanks for clarifying. Let me reach out to a couple of contacts. I'll get back to you ASAP
Anonymous

2024-10-17T22:03:19.88+00:00

Hi @JohnSebastian-3934 , there might be a PowerShell syntax issue around the password value.

Try adding -Debug to the end of your Set-EntraUsePassword cmd to inspect the raw graph request being made and ensure the passwordProfile contains the expected password. Please let me know your results.

Best,

James

Answer 1

Syed Mohsin Abbas 5

The error you're encountering is likely due to the password not meeting Microsoft Entra ID’s complexity requirements, which specify that passwords must contain characters from at least three categories: uppercase letters, lowercase letters, digits, and special characters.

To ensure the generated password meets these requirements, update your script to include a mix of characters from all necessary categories. Here’s an optimized version of your password generation code:

then This ensures that the password complies with the complexity requirements by including a mix of uppercase, lowercase, digits, and special characters. Double-check your organization's custom password policies if further complexity is needed.

$length = 12
# Ensure the password includes at least one character from each category
$lowercase = (65..90) | ForEach-Object { [char]$_ }
$uppercase = (97..122) | ForEach-Object { [char]$_ }
$digits = (48..57) | ForEach-Object { [char]$_ }
$specialChars = "!@#$%^&*()-_=+[]{}|;:'\",.<>?/`~" -split ""
# Generate the password
$passwordArray = (
    $lowercase + $uppercase + $digits + $specialChars |
    Get-Random -Count $length
)
$password = -join $passwordArray
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
# Set the password
Set-EntraUserPassword -ObjectID $em -Password $securePassword

JohnSebastian-3934 506 Reputation points

2024-10-16T21:32:15.2766667+00:00

Thanks but I don't think this is the issue. I've simplified the code to generate the password randomly as follows. It generates 12 characters that meet the Entra ID password requirements yet I'm still getting the error from Update-MgUser which apparently is called by Set-EntraUserPassword cmdlet. For example here is the generated password it attempts to update:

Resetting password for account testuser to k!yvGiu^g9)7

Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest)

ErrorCode: Request_BadRequest Date: 2024-10-16T21:29:07 Headers: Cache-Control : no-cache Vary :

Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 698b0e81-7697-4317-bdbb-91755cce728f

client-request-id : 85afe742-f1dc-4269-8c3c-3c23eb0c4f3f x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West

US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"SJ1PEPF00000BAD"}} x-ms-resource-unit : 1 Date :

Wed, 16 Oct 2024 21:29:06 GM
JohnSebastian-3934 506 Reputation points

2024-10-17T13:43:43.0133333+00:00
Thank you but I don't think this is the actual problem. I've simplified the script a bit to just this. It generates passwords with the correct EntraID complexity rules but I am still receiving the exact same errors when attempting to change the password

$p = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()" $pwarry = $p.ToCharArray() $pw = ($pwarry | Get-Random -Count $length) $pw = -join $pw $pwd = ConvertTo-SecureString -String $pw.ToString() -AsPlainText -Force Set-EntraUserPassword -ObjectID "myemail.domain" -Password $pwd
Syed Mohsin Abbas 5 Reputation points

2024-10-17T15:12:29.39+00:00
JohnSebastian-3934

hi

The error may not be related to password complexity alone. Here are some other factors to consider:

Special Character Restrictions: Even though your password meets complexity requirements, some special characters might be restricted by custom policies. Try limiting special characters to commonly accepted ones like @, #, %, etc. You can update your script like this:
$specialChars = "@#%&*!" -split ""

Password History: If the password is similar to previous ones, it might be rejected. Ensure it is sufficiently different from previous passwords used by the account.

Permission Issue: If using a managed identity, it may lack the required permissions to reset passwords. Ensure your identity has the Directory.AccessAsUser.All scope, which is required for password changes.

Try these adjustments and let me know if the issue persists.
JohnSebastian-3934 506 Reputation points

2024-10-17T15:44:14.4666667+00:00
Thanks, I did see the requirement that Directory.AccessAsUser.All must be assigned to the managed identity that is running the script which is what I am doing.

Unfortunately, there is no way to do this assignment in a portal and it must be done through Powershell (at least the last time I checked on how to do this). The code that I have do to this was taken from some research I did last year. When I attempt this code below, the statement in the line below, I believe it is suppose to return everything for the Graph AIP however examining the resulting $oGraphSpn.AppRoles does not show the role of Directory.AccessAsUser.All in the output so I am having problems granting that permission to my identity.

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$oGraphSpn = Get-MgServicePrincipal -Filter "appId eq '$GraphAppId'"

Here is the full Powershell Script I use to try and grand Directory.AccessAsUser.All scope permission to my managed identity but no permissions are granted:

#Requires -Modules Microsoft.Graph.Applications

$DestinationTenantId = "my_tenantid_here"

$MsiName = "my_managed_identity_name_here"

$oAssignPermissions = @(

"Directory.AccessAsUser.All"

)

$MgRequiredScopes = @(

"Application.Read.All" "AppRoleAssignment.ReadWrite.All" "Directory.ReadWrite.All"

)

$GraphAppId = "00000003-0000-0000-c000-000000000000" # Don't change this.

Connect-MgGraph -TenantId $DestinationTenantId -Scopes $MgRequiredScopes -NoWelcome

$oMsi = Get-MgServicePrincipal -Filter "displayName eq '$MsiName'"

$oGraphSpn = Get-MgServicePrincipal -Filter "appId eq '$GraphAppId'"

$oAppRole = $oGraphSpn.AppRoles | Where-Object {($.Value -in $oAssignPermissions) -and ($.AllowedMemberTypes -contains "Application")}

$oAppRole

foreach($AppRole in $oAppRole)

{

$oAppRoleAssignment = @{

"PrincipalId" = $oMSI.Id "ResourceId" = $oGraphSpn.Id "AppRoleId" = $AppRole.Id

}

New-MgServicePrincipalAppRoleAssignment `

-ServicePrincipalId $oAppRoleAssignment.PrincipalId ` -BodyParameter $oAppRoleAssignment ` -Verbose

}
JohnSebastian-3934 506 Reputation points

2024-10-17T15:57:09.53+00:00

If I perform these commands, the only Values I see returned from Get-MgServicePrincipal cmdlet with Directory in them are show in the image below. I do not see the Directory.AccessAsUser.All permission.

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$oGraphSpn = Get-MgServicePrincipal -Filter "appId eq '$GraphAppId'"

$oAppRole = $oGraphSpn.AppRoles
Syed Mohsin Abbas 5 Reputation points

2024-10-17T17:30:09.2566667+00:00

hi john

It seems the Directory.AccessAsUser.All role is missing in your result. Try the following steps:

Check Role Availability: Ensure Directory.AccessAsUser.All is listed under the Microsoft Graph service principal. If it's not, there could be a permission issue.

Assign Role Manually: If PowerShell doesn't work, you may need to manually assign the role via the Azure portal by updating the App Registration or use Invoke-RestMethod to assign it.

Verify Permissions: Ensure that the required Microsoft Graph permissions (Application.Read.All, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All) are properly granted to your managed identity.

Try these steps and see if the role appears and the permissions get applied.

Share via

Update-MgUser_UpdateExpanded: The specified password does not comply with password complexity requirements. Please provide a different password. Status: 400 (BadRequest)

1 answer

Your answer