As you may know Microsoft has the successor of the good old Azure AD Powershell Modules (now called v1) in preview: Azure Active Directory V2 Powershell Modules.
In the V1 version of the AAD PowerShell modules you could simply enter a command like this to set the password of an Azure AD user object:
Set-MsolUserPassword -UserPrincipalName <UPN> -NewPassword “P@ssw0rd”
With the new V2 modules you have two options, first:
Set-AzureADUser: used to modify multiple Azure AD user parameters incuding the users password.
Set-AzureADUserPassword: used to only update the users password.
The first command works slightly different then the old MSOL command as it relies on the Azure AD Graph API. This API requires the use of PasswordProfile object type and this object contains the following properties:
|password||Edm.String||RW||The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login.
The password must satisfy minimum requirements as specified by the user’s PasswordPolicies property. By default, a strong password is required.
|forceChangePasswordNextLogin||Edm.Boolean||RW||true if the user must change her password on the next login; otherwise false.|
But how to create a PasswordProfile object in PowerShell and use it for instance Set-AzureADUser?
First of all, you need to load the correct assembly that contains the methods to create a PasswordProfile object, the DLL that contains this method is included in the Azure AD PowerShell Modules V2 and is named Microsoft.Open.Azure.AD.CommonLibrary.dll. The default location of this DLL is C:\Program Files\WindowsPowerShell\Modules\AzureADPreview.
To load this assembly in PowerShell (for version 188.8.131.52) enter the following command:
Then create a PasswordProfile object:
$AADPasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
Now you can set the parameters as described in the table above:
$AADPasswordProfile.ForceChangePasswordNextLogin = “False”
$AADPasswordProfile.Password = “P@ssw0rd”
The last step is to set the users password using the created PasswordProfile object:
Set-AzureADUser -ObjectId <objected> -PasswordProfile $AADPasswordProfile
Successful operations are not reported currently, but when the operation is not successful you should expect an error like this:
Set-AzureADUser : Error occurred while executing SetUser
Message: The specified password does not comply with password complexity requirements. Please provide a different password.
At line:1 char:17
+ Set-AzureADUser -ObjectId objectid -UserPrincipalNam …
+ CategoryInfo : NotSpecified: (:) [Set-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUser
Update december 12th 2016:
Forgot to mention that is, ofcourse, also a direct equivalent set-msoluserpassword, which is set-AzureADUserPassword. This command is specificly used to update the users password only and does not require the creation of a Password Type Object. So if you only want to update the users password you can also fire the following command (please note that the new password needs to be supplied as secure string):
set-AzureADUserPassword -ObjectId <ObjectId> -Password (ConvertTo-SecureString -String P@ssw0rd” -Force –
The text above is adjusted with this information.