Jump to content

Azure Active Directory Reset Example


Recommended Posts

Step 1: Ensure you have prerequisites set up for your web server, as per this forum post (Once off process)

Step 2: Add new Password Record configured as follows:


Screen 1: Ensure you configure the below 4 options correctly and enter in the Azure AD password for the account.  If you configure an Expiry Date it will automatically change the password when that date is reached.




Screen 2: Select the appropriate Privileged Account.  This account must have permissions to reset other accounts in Azure AD.  If the user account you are resetting the passowrd for has permissions to perform account resets in Azure AD, then you do not need to set a privileged account on this screen.  See bottom of this page for description of permissions required to reset passwords in Azure AD.


Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs




Screen 3: Confirm the Validate Password for Active Directory Account validation script is selected





A standard user in Azure AD cannot reset their own account password, using the Powershell module Passwordstate uses.  If you grant the user one of the following roles in Azure, then they will be able to reset their own password:


1. Helpdesk (Password) administrator

2. User Administrator

3. Global Administrator


Helpdesk administrator is the role with the least privileges, however this will also give the user the ability to reset other Azure user passwords.  If you feel these permissions are too high, then you should use a privileged account that has this Helpdesk Administrator role, and assign it on your Password record (Screen 2 above).  This privileged account will perform the reset of the password on behalf of the user.


To assign the Helpdesk Administrator role in Azure AD, log into the Azure AD portal as an Administrator, select Azure Active Directory -> Roles and administrators, and open the Helpdesk (password) Administrator role. Then click Add Assignment and search for the appropriate user, and save your changes.




Link to comment
Share on other sites

  • 1 year later...

As you can't use MFA enabled accounts to reset passwords, we are looking for other solutions. The Microsoft documentation states "If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication". Does anyone have implemented the password reset and hearbeat functionality based on a AAD service principal and can share a few details on this?

Link to comment
Share on other sites

Hi Thomas,


We have not come across any customers who've been able to script resets in this manner, as MFA requires some sort of interaction to enter the OTP password. But hopefully another customer reads this and has some insights.


Click Studios

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...