When a security breach occurs in your organization, an enforced password change is the first line of defense to safeguard your users' Microsoft account. However, forced password changes may sometimes fail, leaving a user compromised. To ensure the enforcement status, it’s crucial to audit these resets for users. In this guide, we'll learn how to effectively audit forced password changes in Microsoft 365.
Windows PowerShell Connect-ExchangeOnline Windows PowerShell Search-UnifiedAuditLog -StartDate <yyyy-mm-dd> -EndDate <yyyy-mm-dd> -Operations "Set force change user password" -ResultSize 5000 | ForEach-Object { [PSCustomObject]@{ CreationDate = $_.CreationDate; Operations = $_.Operations; "Performed On" = ($_.AuditData | ConvertFrom-Json).ObjectId; "Initiated By" = $_.UserIds } } | Format-Table 
AdminDroid’s Azure AD auditing tool strengthens your security framework by offering insightful reports on password changes and resets in Microsoft 365.
Use AdminDroid's Microsoft 365 password dashboard to gain a clear view of user password changes and quickly enhance security with actionable insights.
Identify users with unchanged passwords in M365 to eliminate security threats by enforcing a password change for Microsoft 365 accounts.
Examine all password changes in a single report to prevent unnecessary changes and analyze the history by exporting the data.
Check password expiry dates for M365 users in advance to ensure timely password updates and minimize the risk of disruptions to their accounts.
With AdminDroid's default alert template, you can easily set alerts to receive instant notifications for forced password resets by admins which enable quick responses during critical user access emergencies.
By checking the last password change date and time, you can identify how frequently users update their passwords. This reduces the risk of security breaches caused by stale passwords.
In summary, AdminDroid’s Azure AD management tool provides valuable insights into your organization's password change activities and helps strengthen your security measures within Microsoft 365.
This error occurs when the date is entered in an incorrect format, which results in PowerShell being unable to convert the string '24/9/2024' into a valid DateTime object.
The error occurs when you try to use the 'Get-MgUser' cmdlet without authenticating and providing the required scope.
Connect-MgGraph -Scopes 'Domain.Read.All', 'User.ReadWrite.All'
This error occurs when users with insufficient permissions try to access audit logs in the Microsoft Purview portal.
If there's evidence of unusual activity on a user account, enforcing a password change is crucial to secure the account and prevent further compromise in Microsoft 365. While this can be done through the Microsoft 365 admin center, you'll need to reset the user's password and then share it securely with them.
However, by using PowerShell you can force users to change their password without resetting the existing password.
Connect to the Microsoft Graph PowerShell module using the below cmdlet.
Connect-MgGraph -Scopes "User.ReadWrite.All"Execute the following cmdlet to force password update for the particular user.
$PasswordProfile=@{ForceChangePasswordNextSignIn=$true}
Update-MgUser -UserId <UPN> -PasswordProfile <$PasswordProfile>-Replace your desired password profile in the <$PasswordProfile> and replace <UPN> with the "user principal name" of the intended user.
Run the following PowerShell script to enforce a password reset for all Microsoft 365 users after connecting to the MS Graph PowerShell module.
$AllUsers = Get-MgUser -All
# Create the password profile to force password change
$PasswordProfile = @{ ForceChangePasswordNextSignIn = $true}
# Loop through each user and update their password profile
foreach ($user in $AllUsers) {
$UPN = $user.UserPrincipalName
Update-MgUser -UserId $UPN -PasswordProfile <$PasswordProfile>}After forcing password changes, it's essential to check whether the changes were successfully implemented. However, there are no status details available for this in Microsoft 365.
You can capture all forced password changes in M365 with AdminDroid, which ensures comprehensive tracking and management!
By using AdminDroid's Force Change User Password report, you can easily audit when an admin enables the option to force users to change their passwords and identify which users were affected. You can also check the success of the forced password change based on the result status.
Handy tip: Use the Schedule (⏰) option to receive automated insights on forced password changes on a daily, weekly, or monthly basis.
Even after enforcing a forced password change, users might not exit their current session due to cached tokens and may fail to update their password. Therefore, it’s essential to verify whether the user has successfully changed their password.
This verification ensures the new password is set correctly, to ensure account security and prevent unauthorized access due to incomplete changes.
For verification: we need the forced password change time and the last password change date and time. However, we cannot directly obtain this information using Microsoft 365's native tools.
By using the 'All Password Changes' report from AdminDroid, you can easily verify the forced password change time and the last password change times in just a few clicks.
In Microsoft 365, users can change their passwords through Self-service password resets or manual password changes, aside from forced password changes initiated by admins.
Since Microsoft 365 doesn’t offer password change alerts, the only way to detect unusual password reset activity is by regularly auditing the logs.
Auditing password changes helps identify security risks and highlights users who frequently reset their passwords and password-changing patterns.
Struggling to track password changes? Check out our guide on auditing password changes in Microsoft 365 and discover best practices for strong passwords.
Here's a quick glimpse!
Auditing forced password changes in Microsoft 365 plays a crucial role for the following reasons.
Get AdminDroid Office 365 Reporter Now!