Reset a User's Password and Send a Welcome Email with Credentials via Microsoft Graph

Why this recipe matters

Onboarding a new user into Microsoft 365 — whether for a beta program, a new hire, or a re-activated account — almost always ends the same way: the admin resets the password, copies it somewhere, and emails the credentials to an external address the user can actually reach (because they can't sign in to their new M365 mailbox yet).

This recipe covers the full loop: generate a strong temporary password, apply it to the user's account, force a password change on next sign-in, and send a formatted welcome email to the user's personal or corporate email. It also documents the gotcha most admins hit on the way: standard password resets often fail for privileged accounts, requiring a fallback via the Authentication Methods API.

When to run it

• Beta program or pilot user onboarding
• New-hire provisioning where the user hasn't received their M365 mailbox yet
• Forgotten-password recovery where the user has no registered MFA methods
• Helpdesk ticket resolution where credentials must be delivered out-of-band

What you'll have when done

• ✅ The target user account has a new, strong temporary password
• ✅ forceChangePasswordNextSignIn is set so the user must rotate the password on first login
• ✅ A formatted welcome email is delivered to the user's external/alternate address containing their UPN, temporary password, and login URLs
• ✅ A clean audit trail in the Entra audit log showing who reset the password and when
• ✅ A reusable procedure for the next onboarding — no more manually typing credentials into emails

⚠️ Warnings and gotchas

• Privileged accounts behave differently. If the target user holds a directory role (Global Admin, User Admin, Cloud App Admin, etc.), the standard PATCH /users/{id} with a passwordProfile will fail with 403 Insufficient privileges even when you have User.ReadWrite.All. You must use the Authentication Methods API and have UserAuthenticationMethod.ReadWrite.All plus the Privileged Authentication Administrator role.
• Credentials in plain-text email are risky. Prefer a Temporary Access Pass (TAP) or a password reset link where possible. If you must email a password, ensure the message is sent encrypted (e.g., Microsoft Purview Message Encryption) or use a one-time-view service.
• Always set forceChangePasswordNextSignIn: true. Never leave a temporary password in place as the user's permanent credential.
• Password complexity. Generate at least 12 characters with mixed case, digits, and symbols. Avoid ambiguous characters (0/O, 1/l/I).
• MFA still applies. Resetting the password does not bypass Conditional Access or MFA. If the user has no registered methods, they may be blocked at sign-in — issue a TAP instead.
• Audit compliance. Every password reset is logged in Entra audit logs; make sure the operation is tied to a ticket or documented business reason.