๐ฅ Recipe ยท User & Group Management
Reset a User's Password in Entra ID via Microsoft Graph
Issue a secure temporary password and force change at next sign-in for Entra ID users
Complexity
Beginner
Impact
identity + security + helpdesk + user-lifecycle
Context
Why This Matters
Password resets are one of the most common helpdesk tickets. When a user is locked out of their work account, IT needs a fast, auditable way to issue a temporary password and get them back to work โ while preserving security posture.
This recipe covers the end-to-end flow: verifying the user exists, generating a cryptographically secure temporary password, applying the reset via Microsoft Graph, and guiding the user through first sign-in. It also covers the common edge case where the target user holds a privileged role (Global Admin, Privileged Authentication Admin, etc.), in which case the standard passwordProfile PATCH is blocked and you must fall back to the Authentication Methods API.
When to use this recipe
- User reports they cannot sign in and self-service password reset (SSPR) is not configured or not working.
- User's account was compromised and you want to force a credential rotation alongside session revocation.
- Onboarding handoff where a temporary password needs to be communicated out-of-band.
Expected Outcomes
After completing this recipe you will have:
- Verified the target user account exists and is enabled in Entra ID.
- Generated a 14-character cryptographically random temporary password.
- Applied the password reset via Microsoft Graph with
forceChangePasswordNextSignIn = true. - Optionally revoked existing sign-in sessions so the old credentials can't be reused.
- Communicated the temporary password to the user through a secure out-of-band channel.
- An audit trail in the Entra ID sign-in and audit logs.
Risks & Considerations
Security considerations
- Never send the temp password over email to the same account you just reset โ the user can't read it. Use SMS, a secondary personal email on file, or a manager handoff.
- Verify identity before resetting. Social engineering attacks frequently target the helpdesk. Confirm the requester via a second factor (Teams video call, manager approval, ID check).
- Privileged accounts are protected. If the target holds an admin role, a plain
PATCH /users/{id}with apasswordProfilewill return403 Forbiddenunless the caller holds Privileged Authentication Administrator. Use the Authentication Methods API (/authentication/passwordMethods/{id}/resetPassword) instead. - Hybrid-joined users: if the account is synced from on-prem AD, you must reset the password in on-prem AD โ the Graph call will fail with
Unable to update the specified properties for on-premises mastered Directory Sync objects. - Always force change at next sign-in so the admin-chosen password never persists as the user's working credential.
- Revoke sessions (
POST /users/{id}/revokeSignInSessions) if you suspect compromise โ otherwise existing refresh tokens remain valid.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| User.ReadWrite.All | Required to patch the passwordProfile on standard user accounts |
| UserAuthenticationMethod.ReadWrite.All | Required to reset credentials on users holding an admin role via the Authentication Methods API |
| Directory.AccessAsUser.All | Required when acting on behalf of a signed-in admin for privileged operations |
| Privileged Authentication Administrator role | Directory role required to reset passwords for users who hold admin roles |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin
For End Users
How an employee would ask Dex for help