passwordAuthenticationMethod: resetPassword

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Initiate a reset for the password associated with a password authentication method object. This can only be done by an administrator with appropriate permissions and can't be performed on a user's own account.

To reset a user's password in in Azure AD B2C, use the Update user API operation and update the passwordProfile > forceChangePasswordNextSignIn object.

This flow writes the new password to Microsoft Entra ID and pushes it to on-premises Active Directory if configured using password writeback. The admin can either provide a new password or have the system generate one. The user is prompted to change their password on their next sign in.

This reset is a long-running operation and will return a Location header with a link where the caller can periodically check for the status of the reset operation.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) UserAuthenticationMethod.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application Not supported. Not supported.

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.

  • Authentication Administrator
  • Privileged Authentication Administrator

Admins with User Administrator, Helpdesk Administrator, or Password Administrator roles can also reset passwords for non-admin users and a limited set of admin roles as defined in Who can reset passwords.

HTTP request

The ID of the password authentication method, referenced by {passwordMethods-id}, is always 28c10230-6103-485e-b985-444c60001490.

POST /users/{id | userPrincipalName}/authentication/methods/{passwordMethods-id}/resetPassword

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json. Required.

Request body

In the request body, provide a JSON object with the following parameters.

Parameter Type Description
newPassword String The new password. Required for tenants with hybrid password scenarios. If omitted for a cloud-only password, the system returns a system-generated password. This is a unicode string with no other encoding. It is validated against the tenant's banned password system before acceptance, and must adhere to the tenant's cloud and/or on-premises password requirements.

Response

If the caller provided a password in the request body, this method returns a 202 Accepted response code and no response body. The response might also include a Location header with a URL to check the status of the reset operation.

If the caller used the system-generated password option, this method returns a 202 Accepted response code and a passwordResetResponse object in the response body which contains a Microsoft-generated password. The response might also include a Location header with a URL to check the status of the reset operation.

Response headers

Name Description
Location URL to call to check the status of the operation. Required.
Retry-after Duration in seconds. Optional.

Examples

Example 1: User-submitted password

The following example shows how to call this API when the caller submits a password.

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword
Content-type: application/json

{
    "newPassword": "Cuyo5459"
}

Response

The following example shows the response.

HTTP/1.1 202 Accepted
Content-type: application/json
Location: https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/88e7560c-9ebf-435c-8089-c3998ac1ec51?aadgdc=DUB02P&aadgsu=ssprprod-a

Example 2: System-generated password

The following example shows how to call this API when the caller doesn't submit a password.

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword

{

}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 202 ACCEPTED
Location: https://graph.microsoft.com/beta/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/operations/77bafe36-3ac0-4f89-96e4-a4a5a48da851?aadgdc=DUB02P&aadgsu=ssprprod-a
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.passwordResetResponse",
    "newPassword": "Cuyo5459"
}