ByteInTheSky

How to Force New Azure AD User to Change Password After Login Using PowerShell

Tagged: PowerShell

Problem

When the Administrator add new Azure AD user, he must set the password. The problem with this method is the Administrator will know the actual password of the user until the user intentionally change the password which we don’t know when it will happen.

The best way is to force user to change password immediately after their first login.

In this blog post, we will walk you through how to force new Azure Active Directory user to change password after login using PowerShell.

Solution

To solve this problem, we have to use ForceChangePasswordNextLogin parameter when we add new Azure AD user.

Knowing that there are two modules that can be used to add Azure AD user, we want to show you how they use ForceChangePasswordNextLogin parameter differently:

  1. Az module
    In this module, we use New-AzADUser cmdlet.
  2. AzureAD module
    In this module, we use New-AzureADUser cmdlet.

Using ForceChangePasswordNextLogin parameter in New-AzADUser cmdlet

When we use New-AzADUser cmdlet, we can use ForceChangePasswordNextLogin parameter directly and supply the value as follows:


New-AzADUser -DisplayName 'Ron Artest' -UserPrincipalName ron.artest@byteinthesky.onmicrosoft.com -MailNickname Ron -Password (Read-Host "Enter Password for User" -AsSecureString) -ForceChangePasswordNextLogin
New-AzADUser-ForceChangePasswordNextLogin

Using ForceChangePasswordNextLogin attribute in PasswordProfile object

Meanwhile, when we use New-AzureADUser to add user, we must create PasswordProfile object first. Then, we set object’s attribute/property ForceChangePasswordNextLogin to be true.


$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = (Read-Host "Enter Password for User" -AsSecureString)
$PasswordProfile.ForceChangePasswordNextLogin = $true

New-AzureADUser -DisplayName 'Steve Nash' -UserPrincipalName steve.nash@byteinthesky.onmicrosoft.com -MailNickname Steve -AccountEnabled $true -PasswordProfile $PasswordProfile
New-AzureADUser-ForceChangePasswordNextLogin

Conclusion

To force new Azure AD user to change password after login, we must use ForceChangePasswordNextLogin parameter or attribute depending on which module we use, Az or AzureAD.

← How to Add Azure Active Directory User Using PowerShell
How to Enable or Disable Show More Options in Windows 11 Using PowerShell →