Disable First Time Login Password Reset Requirement

Question

Disable First Time Login Password Reset Requirement

Harris, David 50

I am setting up a demo environment where users will authenticate via Entra through our custom application. I set up new users within a group and assign a generic password for login. I want to keep this generic login for any users I create BUT the first time a new user attempts to login to the custom app, Entra is forcing a first-time user password reset process.

How can I eliminate this?

Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-05T17:57:15.9866667+00:00

Hello @Harris, David

Thank you for posting your query on Microsoft Q&A.

Based on your concern I have tested this in my environment, and it worked for me.

I used the following command in PowerShell to disable forced password changes

Set-MsolUserPassword -UserPrincipalName ******@domain.com -ForceChangePasswordOnly $false -ForceChangePassword $false

Suppose if you want to disable forcing all users to change their passwords, please use the following command.

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $false -ForceChangePassword $false

When I tried to log into the account again for the first time, it logged in successfully straight away and didn't ask me to reset my password.it just that you need to use the password given after running the command but at least you can note down the password.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

I hope this clarifies things.
Harris, David 50 Reputation points

2025-03-05T18:06:20.2066667+00:00

Thanks for this. However, I believe your solution assumes that there is a locally hosted Active Directory service that the powershell command would adjust. I am using a domain created within Entra in the cloud e.g. @xxxxx.onmicrosoft.com

How can I do this through the Entra admin console for the Entra service and domain?
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-10T08:59:07.68+00:00

Hello David,

Regretfully, this task cannot be completed from a GUI. However, you can accomplish your goal by connecting your PowerShell to Entra ID and then using the commands listed above.
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-11T09:56:02.74+00:00

Hello David,

Just checking in to see if the above response was helpful. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-12T15:18:31.17+00:00

Hello David,

Just checking in to see if the response was helpful. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Accepted answer

0 additional answers

Your answer

Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-05T17:57:15.9866667+00:00

Hello @Harris, David

Thank you for posting your query on Microsoft Q&A.

Based on your concern I have tested this in my environment, and it worked for me.

I used the following command in PowerShell to disable forced password changes

Set-MsolUserPassword -UserPrincipalName ******@domain.com -ForceChangePasswordOnly $false -ForceChangePassword $false

Suppose if you want to disable forcing all users to change their passwords, please use the following command.

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $false -ForceChangePassword $false

When I tried to log into the account again for the first time, it logged in successfully straight away and didn't ask me to reset my password.it just that you need to use the password given after running the command but at least you can note down the password.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

I hope this clarifies things.
Harris, David 50 Reputation points

2025-03-05T18:06:20.2066667+00:00

Thanks for this. However, I believe your solution assumes that there is a locally hosted Active Directory service that the powershell command would adjust. I am using a domain created within Entra in the cloud e.g. @xxxxx.onmicrosoft.com

How can I do this through the Entra admin console for the Entra service and domain?
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-10T08:59:07.68+00:00

Hello David,

Regretfully, this task cannot be completed from a GUI. However, you can accomplish your goal by connecting your PowerShell to Entra ID and then using the commands listed above.
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-11T09:56:02.74+00:00

Hello David,

Just checking in to see if the above response was helpful. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator

2025-03-12T15:18:31.17+00:00

Hello David,

Just checking in to see if the response was helpful. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

SrideviM 5,630 Microsoft External Staff Moderator

Hello Harris, David,

I understand you want users in that group to use a generic password without being forced to reset it the first time they log in.

Since Microsoft Entra ID automatically requires new users to change their password on first login, you’ll need to disable that setting manually.

You can make use of Microsoft Graph PowerShell commands as there's no direct way to do this in Microsoft Entra Admin Center GUI.

Initially, I created 2 new users with generic password and added them in group:

enter image description here

Now, run below Microsoft Graph PowerShell script to skip forced password reset for users present in that group by signing in with Admin account:


#Install-Module Microsoft.Graph -Scope CurrentUser -Force

Connect-MgGraph -Scopes "User-PasswordProfile.ReadWrite.All","GroupMember.Read.All"

$GroupID = "groupId"

$Users = Get-MgGroupMember -GroupId $GroupID | Select-Object -ExpandProperty Id

foreach ($UserId in $Users) {

    $passwordProfile = @{

        ForceChangePasswordNextSignIn = $false

    }

    Update-MgUser -UserId $UserId -PasswordProfile $passwordProfile

}

enter image description here

When I tried signing in with a user from that group, it worked with the assigned password without being prompted to reset it.

Hope this helps!

Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-03-11T14:11:49.7866667+00:00

Hello Harris, David,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Harris, David 50 Reputation points

2025-03-11T18:05:01.77+00:00

Hi there: Is this a fair set of commands to 'connect Powershell to Entra'?
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-03-12T01:39:32.3266667+00:00
Hello Harris, David,

Yes, this is a valid set of commands to connect PowerShell to Microsoft Entra. But you need to install Microsoft.Entra module for running Connect-Entra command.

Please below modified script using Microsoft.Entra module to skip forced password reset for users:

Install-Module -Name Microsoft.Entra -Repository PSGallery -Scope CurrentUser -Force -AllowClobber Connect-Entra -Scopes "User-PasswordProfile.ReadWrite.All","GroupMember.Read.All" $GroupID = "groupId" $Users = Get-EntraGroupMember -GroupId $GroupID | Where-Object {$_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.user"} foreach ($User in $Users) { $params = @{ UserId = $User.Id PasswordProfile = @{ ForceChangePasswordNextLogin = $false EnforceChangePasswordPolicy = $false } } Set-EntraUser @params }

Refer this MS Article to know more regarding Microsoft.Entra module.
Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-03-13T00:48:00.82+00:00

Hello Harris, David,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Harris, David 50 Reputation points

2025-03-13T14:39:42.4033333+00:00

Hi - I have not had a chance to test, but should be able to today. Thanks
Harris, David 50 Reputation points

2025-03-18T18:27:32.5633333+00:00

Hi - I have attempted run your code and received the following:
Harris, David 50 Reputation points

2025-03-18T18:31:06.9066667+00:00

I also tried running the Entra Connect Synch installer but cannot get past this point. I have not configured any sort of forests for my domain and not sure how to.
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-03-19T00:56:09.7+00:00

Hello Harris, David,

From your error screenshot, I observed that you missed replacing $GroupID parameter value with actual object ID of your Microsoft Entra group.

To resolve the error, make sure to replace $GroupID parameter value with actual object ID of your Microsoft Entra group that can be found here:

There's no need to run the Entra Connect Sync installer, as you mentioned your domain is created within Entra in the cloud (e.g., @xxxxx.onmicrosoft.com). Entra ID (formerly Azure AD) natively manages users and authentication without requiring on-premises synchronization.

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Harris, David 50 Reputation points

2025-03-19T14:28:35.7066667+00:00

In your script, do all references to $GroupID get changed to the object ID? Or just the initial reference? I tried both ways and I seem to get different failures.

My object ID:

This is what I tried first

and I receive this error

SrideviM 5,630 Microsoft External Staff Moderator

Hello Harris, David ,

You need to use like this:

$GroupID = "PasteObjectIdOfGroupHere"

Just paste your group's Object ID inside quotes and run the PowerShell script as the same

Connect-Entra -Scopes "User-PasswordProfile.ReadWrite.All","GroupMember.Read.All"

$GroupID = "PasteObjectIdOfGroupHere"

$Users = Get-EntraGroupMember -GroupId $GroupID | Where-Object {$_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.user"}

foreach ($User in $Users) {

    $params = @{

        UserId = $User.Id

        PasswordProfile = @{

            ForceChangePasswordNextLogin = $false

            EnforceChangePasswordPolicy = $false

        }

    }

    Set-EntraUser @params

}

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Harris, David 50 Reputation points

2025-03-19T17:28:51.3933333+00:00

Thank you, that seems to have worked in Powershell, see below. However, I just went through my authentication process within my mobile app and the password change screen still appears.

Can you confirm that the Powershell screen shows a completed script?
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-03-20T01:08:25.0566667+00:00
Hello Harris, David,

After your comment, I rechecked the script and reproduced it again in my environment and got similar results as you.

Please check below modified PowerShell script that uses Set-EntraUserPassword command to disable password reset.

Connect-Entra -Scopes "User-PasswordProfile.ReadWrite.All", "GroupMember.Read.All" $GroupID = "PasteObjectIdOfGroupHere" $Users = Get-EntraGroupMember -GroupId $GroupID foreach ($User in $Users) { $UserDetails = Get-EntraUser -UserId $User.Id -Property "UserPrincipalName" $securePassword = ConvertTo-SecureString "EnterGenericPwd" -AsPlainText -Force Set-EntraUserPassword -UserId $User.Id -Password $securePassword -ForceChangePasswordNextLogin $false -EnforceChangePasswordPolicy $false Write-Host "Password reset disabled for: $($UserDetails.UserPrincipalName) ($($User.Id))" -ForegroundColor Green } Write-Host "Password reset disabled for users in that group." -ForegroundColor Cyan

Response:

This script will print password reset disabled user's User Principal Name and their Object ID in response.

When I tried to sign in with users from that response, I did not get the Password Reset screen which confirms script is correct.

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know so that we can take it offline and resolve it.
Harris, David 50 Reputation points

2025-03-20T14:09:08.7866667+00:00

this final script solved my request. thank you!

Share via

Disable First Time Login Password Reset Requirement

0 additional answers

Your answer