🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Audit Forced Password Changes in M365

When a security breach occurs in your organization, an enforced password change is the first line of defense to safeguard your users' Microsoft account. However, forced password changes may sometimes fail, leaving a user compromised. To ensure the enforcement status, it’s crucial to audit these resets for users. In this guide, we'll learn how to effectively audit forced password changes in Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

View-only Audit Logs Role

Most Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

  • Log in to the Microsoft Purview compliance portal.
  • Under the Solutions section, select Audit.
  • Customize the date and time as desired.
  • Select the following operation from the Activities-friendly names drop-down and click Search.

    Set property that forces user to change password

  • Once the search is complete, you can export the forced password change activity report.
Using Microsoft Purview Compliance Portal

Option 2 Using Windows PowerShell

  • Connect to the Exchange Online PowerShell module using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to audit all forced password changes in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate <yyyy-mm-dd> -EndDate <yyyy-mm-dd> -Operations "Set force change user password" -ResultSize 5000 | ForEach-Object { [PSCustomObject]@{ CreationDate = $_.CreationDate; Operations = $_.Operations; "Performed On" = ($_.AuditData | ConvertFrom-Json).ObjectId; "Initiated By" = $_.UserIds } } | Format-Table
Using Windows PowerShell
AdminDroid Solution
This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Free
ad
  • Log in to the AdminDroid Office 365 reporter.
  • Navigate to the Admin Configured a Setting to Force Change User Password report under the Audit»Azure AD»Password changes»Reset Forced by Admin.
Using AdminDroid

This report provides a comprehensive audit of forced password changes in Microsoft 365. It details the timestamp, the user for whom the reset was performed, the admin who enforced the change, and the result status, along with additional details.

forced-password-reset-graph-view
  • Utilize AdminDroid’s graphical view to quickly identify the user with the most forced password resets, which helps you implement necessary security measures for those accounts, including enabling multi-factor authentication (MFA).
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Instantly Retrieve All Forced Password Change Reports in M365!

Generate a quick report of all forced password changes in Microsoft 365 using AdminDroid. Identify users who changed their passwords and those prone to attacks, which reduces potential risks.

Witness the report in action using the

Live Demo

Important Tips

Enable Self-service password reset for critical users while limiting it for others to avoid unnecessary password resets and the use of weak passwords.

Distribute Temporary Access Passes to users facing potential threats and enable them to log into their Microsoft 365 accounts securely without a password.

Use the leaked credential detection report in Microsoft Entra to identify compromised user accounts and take immediate action to secure them.

Azure ADSecure User Access with Enforced Password Resets in Microsoft 365!

Showing 1 of 4
How to force a password reset in Microsoft 365? How to verify the user changed password after the forced password change in Microsoft 365? How to check Password change history in Microsoft 365? Why is auditing forced password changes important in Microsoft 365?

How to force a password reset in Microsoft 365?

If there's evidence of unusual activity on a user account, enforcing a password change is crucial to secure the account and prevent further compromise in Microsoft 365. While this can be done through the Microsoft 365 admin center, you'll need to reset the user's password and then share it securely with them.

However, by using PowerShell you can force users to change their password without resetting the existing password.

Force Password Change for a Microsoft 365 User

Connect to the Microsoft Graph PowerShell module using the below cmdlet.

Connect-MgGraph -Scopes "User.ReadWrite.All"

Execute the following cmdlet to force password update for the particular user.

$PasswordProfile=@{ForceChangePasswordNextSignIn=$true}  
Update-MgUser -UserId <UPN> -PasswordProfile  <$PasswordProfile>

-Replace your desired password profile in the <$PasswordProfile> and replace <UPN> with the "user principal name" of the intended user.

Force Password for All Microsoft 365 Users

Run the following PowerShell script to enforce a password reset for all Microsoft 365 users after connecting to the MS Graph PowerShell module.

$AllUsers = Get-MgUser -All 
# Create the password profile to force password change 
$PasswordProfile = @{ ForceChangePasswordNextSignIn = $true} 
# Loop through each user and update their password profile 
foreach ($user in $AllUsers) { 
 $UPN = $user.UserPrincipalName
Update-MgUser -UserId $UPN -PasswordProfile <$PasswordProfile>}

After forcing password changes, it's essential to check whether the changes were successfully implemented. However, there are no status details available for this in Microsoft 365.

You can capture all forced password changes in M365 with AdminDroid, which ensures comprehensive tracking and management!

By using AdminDroid's Force Change User Password report, you can easily audit when an admin enables the option to force users to change their passwords and identify which users were affected. You can also check the success of the forced password change based on the result status.

  • You can easily mail this report to the respective admins, providing insights into the forced password changes.
  • This functionality ensures admins are informed about affected users and the success of the changes, leading to to effective security management.
forced-reset-admindroid-report

Handy tip: Use the Schedule (⏰) option to receive automated insights on forced password changes on a daily, weekly, or monthly basis.

How to verify the user changed password after the forced password change in Microsoft 365?

Even after enforcing a forced password change, users might not exit their current session due to cached tokens and may fail to update their password. Therefore, it’s essential to verify whether the user has successfully changed their password.

This verification ensures the new password is set correctly, to ensure account security and prevent unauthorized access due to incomplete changes.

For verification: we need the forced password change time and the last password change date and time. However, we cannot directly obtain this information using Microsoft 365's native tools.

By using the 'All Password Changes' report from AdminDroid, you can easily verify the forced password change time and the last password change times in just a few clicks.

  • Set the filter Operation equals to Set property that forces user to change password.
  • Add the Password Last Changed column and verify this with the Event Time. If the user has not changed their password, you can prompt them to do so in a timely manner.
all-password-change-admindroid-report

How to check Password change history in Microsoft 365?

In Microsoft 365, users can change their passwords through Self-service password resets or manual password changes, aside from forced password changes initiated by admins.

Since Microsoft 365 doesn’t offer password change alerts, the only way to detect unusual password reset activity is by regularly auditing the logs.

Auditing password changes helps identify security risks and highlights users who frequently reset their passwords and password-changing patterns.

Struggling to track password changes? Check out our guide on auditing password changes in Microsoft 365 and discover best practices for strong passwords.

Here's a quick glimpse!

  • Microsoft Purview compliance portal: You’ll find a clear method to locate and filter all password changes using Microsoft Purview.
  • PowerShell script: This section explains how to use the Search-UnifiedAuditLog PowerShell cmdlet to retrieve all password changes, including resets and Self-service password reset (SSPR), for all M365 users.
  • AdminDroid Azure AD reporter: AdminDroid provides a comprehensive overview of the password change history in M365, featuring dedicated reports for users who have never changed their passwords, recently changed passwords, last password change date, password expiration date, and various other password metrics. The graphical representation offers clear insights, which simplifies the management and understanding of password statuses.

Why is auditing forced password changes important in Microsoft 365?

Auditing forced password changes in Microsoft 365 plays a crucial role for the following reasons.

  • Accountability Auditing provides a clear record of actions, showing exactly who enforced key forced password changes in Microsoft 365 and for which users.
  • Ensuring Successful Password Changes When enforcing password changes for M365 users during a security breach, auditing is essential to confirm that the reset process is successful for all intended users. This verification ensures that all users comply with the change, to reduce the risk of vulnerabilities.
  • Identifying Potential Risks By examining audit logs, admins can identify users with the most password resets in M365 and address any underlying issues with those individual users.
  • Incident Investigation In case of a security incident, having a detailed audit of forced password changes enables a more thorough investigation by providing insights into which accounts were affected and when.
  • Compliance Requirements Many industries have regulations that require organizations to maintain an audit trail of forced password changes, especially resets. Auditing ensures that companies meet compliance standards like GDPR, HIPAA, etc.

AdminDroid Azure AD ReporterDefend your Microsoft 365 account with comprehensive auditing of forced password changes!

AdminDroid’s Azure AD auditing tool strengthens your security framework by offering insightful reports on password changes and resets in Microsoft 365.

A Quick Summary

Visualize All Your Password Changes with Engaging Dashboard

Use AdminDroid's Microsoft 365 password dashboard to gain a clear view of user password changes and quickly enhance security with actionable insights.

Track Users with Unchanged Passwords Through AdminDroid

Identify users with unchanged passwords in M365 to eliminate security threats by enforcing a password change for Microsoft 365 accounts.

Comprehensive Audit of All Password Changes

Examine all password changes in a single report to prevent unnecessary changes and analyze the history by exporting the data.

Stay ahead of Your Password Expiration Dates with AdminDroid

Check password expiry dates for M365 users in advance to ensure timely password updates and minimize the risk of disruptions to their accounts.

Be Alerted to Forced Password Changes

With AdminDroid's default alert template, you can easily set alerts to receive instant notifications for forced password resets by admins which enable quick responses during critical user access emergencies.

Monitor Last Password Change Time to Identify Stale Passwords

By checking the last password change date and time, you can identify how frequently users update their passwords. This reduces the risk of security breaches caused by stale passwords.

In summary, AdminDroid’s Azure AD management tool provides valuable insights into your organization's password change activities and helps strengthen your security measures within Microsoft 365.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps While Auditing Forced Password Changes in Microsoft 365

Below are some potential errors and troubleshooting tips you might encounter when dealing with forced password changes in Microsoft 365.

Error: Cannot Process argument transformation on parameter EndDate . Cannot convert value to type. Microsoft.Exchange.ExchangeSystem.ExDateTime. “String 24/9/2024” was not recognized as a valid Datetime.

This error occurs when the date is entered in an incorrect format, which results in PowerShell being unable to convert the string '24/9/2024' into a valid DateTime object.

Troubleshooting hint : Always use a consistent and recognizable date format, following a standard case like MM/DD/YYYY, to ensure proper interpretation by PowerShell.

Error: Get-MgUser : Authentication needed. Please call Connect-MgGraph.

The error occurs when you try to use the 'Get-MgUser' cmdlet without authenticating and providing the required scope.

Troubleshooting hint :Authenticate with the required scope by running the 'Connect-MgGraph' cmdlet. 

Connect-MgGraph -Scopes 'Domain.Read.All', 'User.ReadWrite.All'

Error: You cannot access controls on this page. If you should have permissions to view and use this page, contact your administrator.

This error occurs when users with insufficient permissions try to access audit logs in the Microsoft Purview portal.

Troubleshooting hint :To resolve the issue, ensure that the user account has the necessary permissions to access the page.