Reset a user's password, represented by a password authentication method object. This can only be done by an administrator with appropriate permissions and can't be performed on a user's own account.
This flow writes the new password to Microsoft Entra ID and pushes it to on-premises Active Directory if configured using password writeback. The admin can either provide a new password or have the system generate one. The user is prompted to change their password on their next sign in.
This reset is a long-running operation and returns a Location header with a link where the caller can periodically check for the status of the reset operation.
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permission type
Least privileged permissions
Higher privileged permissions
Delegated (work or school account)
UserAuthenticationMethod.ReadWrite.All
Not available.
Delegated (personal Microsoft account)
Not supported.
Not supported.
Application
Not supported.
Not supported.
For delegated scenarios, the administrator needs at least the Authentication Administrator or Privileged Authentication AdministratorMicrosoft Entra role.
Admins with User Administrator, Helpdesk Administrator, or Password Administrator roles can also reset passwords for non-admin users and a limited set of admin roles as defined in Who can reset passwords.
HTTP request
POST /users/{id | userPrincipalName}/authentication/methods/{id}/resetPassword
In the request body, provide a JSON object with the following parameters.
Parameter
Type
Description
newPassword
String
The new password. Required for tenants with hybrid password scenarios. If omitted for a cloud-only password, the system returns a system-generated password. This is a unicode string with no other encoding. It's validated against the tenant's banned password system before acceptance, and must adhere to the tenant's cloud and/or on-premises password requirements.
Response
If successful, this method returns a 202 Accepted response code and a passwordResetResponse in the response body. The response body may also include a Location header with a URL to check the status of the reset operation.
If the caller didn't submit a password, a Microsoft-generated password is provided in a JSON object in the response body.
Response headers
Name
Description
Location
URL to call to check the status of the operation. Required.
Retry-after
Duration in seconds. Optional.
Examples
Example 1: User-submitted password
The following example shows how to call this API when the caller submits a password.
POST https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword
Content-type: application/json
{
"newPassword": "Cuyo5459"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Users.Item.Authentication.Methods.Item.ResetPassword;
var requestBody = new ResetPasswordPostRequestBody
{
NewPassword = "Cuyo5459",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].Authentication.Methods["{authenticationMethod-id}"].ResetPassword.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc users authentication methods reset-password post --user-id {user-id} --authentication-method-id {authenticationMethod-id} --body '{\
"newPassword": "Cuyo5459"\
}\
'
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.users.item.authentication.methods.item.resetpassword.ResetPasswordPostRequestBody resetPasswordPostRequestBody = new com.microsoft.graph.users.item.authentication.methods.item.resetpassword.ResetPasswordPostRequestBody();
resetPasswordPostRequestBody.setNewPassword("Cuyo5459");
var result = graphClient.users().byUserId("{user-id}").authentication().methods().byAuthenticationMethodId("{authenticationMethod-id}").resetPassword().post(resetPasswordPostRequestBody);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ResetPasswordPostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ResetPasswordPostRequestBody();
$requestBody->setNewPassword('Cuyo5459');
$result = $graphServiceClient->users()->byUserId('user-id')->authentication()->methods()->byAuthenticationMethodId('authenticationMethod-id')->resetPassword()->post($requestBody)->wait();
POST https://graph.microsoft.com/v1.0/users/6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0/authentication/methods/28c10230-6103-485e-b985-444c60001490/resetPassword
{
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Users.Item.Authentication.Methods.Item.ResetPassword;
var requestBody = new ResetPasswordPostRequestBody
{
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].Authentication.Methods["{authenticationMethod-id}"].ResetPassword.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc users authentication methods reset-password post --user-id {user-id} --authentication-method-id {authenticationMethod-id}
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.users.item.authentication.methods.item.resetpassword.ResetPasswordPostRequestBody resetPasswordPostRequestBody = new com.microsoft.graph.users.item.authentication.methods.item.resetpassword.ResetPasswordPostRequestBody();
var result = graphClient.users().byUserId("{user-id}").authentication().methods().byAuthenticationMethodId("{authenticationMethod-id}").resetPassword().post(resetPasswordPostRequestBody);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ResetPasswordPostRequestBody;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ResetPasswordPostRequestBody();
$result = $graphServiceClient->users()->byUserId('user-id')->authentication()->methods()->byAuthenticationMethodId('authenticationMethod-id')->resetPassword()->post($requestBody)->wait();