Share via

Update-MgUser command: forceChangePasswordNextSignIn does not work

Edward Smith 0 Reputation points
2026-06-03T13:36:16.8+00:00

Hi there, I've been developing a utility script for my environment and I'm using the following PowerShell code to reset a user's M365 password and force them to change their password at next logon:

$body = @{
            passwordProfile = @{
                password = $PasswordPlain
                forceChangePasswordNextSignIn = $true
            }
        }
        Update-MgUser -UserId $CloudUser.Id -BodyParameter $body -ErrorAction Stop

I've also used a different syntax which I've forgotten. In both cases the password change works fine and the commands run without error, but M365 apps never prompt the user to change their password. If I perform the same operation using the M365 admin portal, the password changes as expected and also prompts the user to change it.

I'm quite confident that the forceChangePasswordNextSignIn portion of the Update-MgUser command just isn't working properly. If there is a better place to put this bug report please let me know.

Thanks

Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Edward Smith 0 Reputation points
    2026-06-03T14:33:49.0733333+00:00

    the issue was I was using ForceChangePasswordNextSignIn = $true Password = $newPassword with lowercase F and P................

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-03T13:36:29.3366667+00:00

    forceChangePasswordNextSignIn is the correct property to use, but it must be set on the passwordProfile of the user object in Microsoft Entra ID (Azure AD), and the behavior is only enforced by sign-in flows that honor this flag.

    From the documented pattern, the update must look like this at the Graph API level:

    PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
Content-type: application/json

{
  "passwordProfile": {
    "forceChangePasswordNextSignIn": true
  }
}

    The equivalent PowerShell pattern with the Microsoft Graph PowerShell SDK is:

    $userUPN = "******@contoso.com"
$newPassword = "<new password>"

Update-MgUser -UserId $userUPN -PasswordProfile @{ 
    ForceChangePasswordNextSignIn = $true
    Password = $newPassword
}

    Key points based on the documented examples:

    1. Use the -PasswordProfile parameter on Update-MgUser rather than a generic -BodyParameter hashtable when working with the SDK.
    2. Ensure the app or account used to call Graph has the required permissions (User.ReadWrite.All or equivalent) and is connected with Connect-Graph -Scopes User.ReadWrite.All.
    3. The flag is stored and enforced in Entra ID; clients that rely on Entra ID for authentication (for example, browser sign-in, modern-auth Office apps) will see the prompt. If a client is using cached tokens or a different auth path, it may not immediately prompt until the token is refreshed.

    To align with the documented working pattern, adjust the script to:

    Update-MgUser -UserId $CloudUser.Id -PasswordProfile @{ 
    ForceChangePasswordNextSignIn = $true
    Password = $PasswordPlain
}

    This matches the supported approach shown in the official guidance for forcing a password change on next sign-in.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.