Set Force a user to change password on next logon via Powershell
I have created a script to try and change the user setting 'force password change at next login'. I wish to do this without having to change their password. I have tried both user authentication (using a global admin account) and application authentication (via Client Secret). When I run the script in either authentication context I get access denied when it comes to updating the user. The script was to read in a csv file and do this but I have simplified a script to the following to show the basic concept of the commands I am trying to run and the authentication process. $secureSecret = ConvertTo-SecureString "xxxxxxxxxxxxxxxxx" -AsPlainText -Force $credential = New-Object PSCredential("xxxxxxxxxxxxxxxxxxxxx", $secureSecret) Connect-MgGraph -TenantId "xxxxxxxxxxxxxxxs" -ClientSecretCredential $credential Get-MgUser -UserId "email address removed for privacy reasons" -Property "userPrincipalName,userType,onPremisesSyncEnabled" Update-MgUser -UserId "email address removed for privacy reasons" -PasswordProfile @{ForceChangePasswordNextSignIn = $true} In the application I have created I have assigned the permissions I believe would be required to support this action (I added Directory.ReadWrite.All, just in case) The read user works fine but I get the error below when trying to update Update-MgUser_UpdateExpanded: Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2025-10-15T13:36:46 I have tried this is two different 365 tenants but both fail with the same error. The tenant is a cloud only with no synchronisation from on-premise. I have tried many iterations but have reached the dead end point. Is it possible to force a password reset via a PowerShell script and if so what am I doing wrong with my permissions? TIA
Problem restoring deleted user with mggraph
Hello, I have done a few 365 migration and almost everytime there are some user data that has been missed in the migration. Earlier I solved this by restoring the 365 user in the source tenant to another domain using this msol script in powershell: Restore-MsolUser -UserPrincipalName email address removed for privacy reasons -Verbose Restore-MsolUser -UserPrincipalName email address removed for privacy reasons -Verbose -AutoReconcileProxyConflicts Restore-MsolUser -UserPrincipalName email address removed for privacy reasons -Verbose -AutoReconcileProxyConflicts -NewUserPrincipalName email address removed for privacy reasons I know it is not perfect but it worked well and saved a bunch of times. I have now done another migration now and got the same issue so I need to restore the users so we can access the data again and move it. BUT! I realized today that msol service is no more, so I am kinda stuck with figuring this out in mggraph. I have tried for a few hours now and I am not sure if this even possible with mggraph. Whenever I try to build a script using Restore-MgDirectoryDeletedUser/Item which google, copilote etc tells me to use I only get this error: The term 'Restore-MgDirectoryDeletedUser/item' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Or I get that it "works" but that the proxy/domain conflicts: Errors detected while trying to restore the user restoreUserErrors: ErrorValue:<pii><pii>E*****.E*******</pii>@domain.com</pii> ObjectType: ConflictingObjectId:, ErrorType:UserPrincipalName, ErrorId:InvalidDomainErrorValue:<pii>smtp:<pii>ee</pii>@domain.com</pii> ObjectType: ConflictingObjectId:, ErrorType:ProxyAddress, ErrorId:InvalidDomain Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-09-08T13:49:36 Since I do not have the first domain in the source tenant anymore I need to restore the user to a different domain. Does anyone have any idea on how I can recreate the msol version to mggraph? I feel like I have tried everything to my knowledge now so hopefully anyone here can give me help or tips. Thanks! /Adam
Entra PIM Role Activation
# Ensure necessary modules are installed $modules = @("DCToolbox", "Microsoft.Entra") foreach ($module in $modules) { if (-not (Get-Module -ListAvailable -Name $module)) { Install-Module -Name $module -Repository PSGallery -Scope CurrentUser -Force -AllowClobber } } # Check if msal.ps package is installed if (-not (Get-Package -Name msal.ps -ErrorAction SilentlyContinue)) { Install-Package msal.ps -Force -Confirm:$false } # Ensure Entra Authentication module is properly imported Remove-Module Microsoft.Entra.Authentication -ErrorAction SilentlyContinue Import-Module Microsoft.Entra.Authentication -Force # Connect to Entra ID with proper authentication Connect-Entra Add-Type -AssemblyName System.Windows.Forms # Create GUI Form $form = New-Object System.Windows.Forms.Form $form.Text = "EntraPIMRole Activation" $form.Size = New-Object System.Drawing.Size(350, 350) # Create Checkboxes $checkboxes = @() $labels = @("Global Administrator", "Teams Administrator", "SharePoint Administrator", "Exchange Administrator", "Billing Administrator") for ($i = 0; $i -lt $labels.Count; $i++) { $checkbox = New-Object System.Windows.Forms.CheckBox $checkbox.Text = $labels[$i] $checkbox.AutoSize = $true $checkbox.Width = 250 $checkbox.Location = New-Object System.Drawing.Point(20, (20 + ($i * 30))) $checkboxes += $checkbox $form.Controls.Add($checkbox) } # Create TextBox $textBox = New-Object System.Windows.Forms.TextBox $textBox.Location = New-Object System.Drawing.Point(20, 180) $textBox.Size = New-Object System.Drawing.Size(300, 20) $form.Controls.Add($textBox) # Create Button $button = New-Object System.Windows.Forms.Button $button.Text = "Run" $button.Location = New-Object System.Drawing.Point(20, 220) $button.Size = New-Object System.Drawing.Size(80, 30) $button.Add_Click({ $selectedOptions = $checkboxes | Where-Object { $_.Checked } | ForEach-Object { $_.Text } $inputText = $textBox.Text # Verify if the required function exists before executing if (Get-Command -Name Enable-DCEntraIDPIMRole -ErrorAction SilentlyContinue) { Enable-DCEntraIDPIMRole -RolesToActivate $selectedOptions -UseMaximumTimeAllowed -Reason $inputText [System.Windows.Forms.MessageBox]::Show("Activated Roles: $($selectedOptions -join ', ')`nReason: $inputText") } else { [System.Windows.Forms.MessageBox]::Show("Error: Enable-DCEntraIDPIMRole function not found. Ensure the correct module is installed.") } }) $form.Controls.Add($button) # Show Form $form.ShowDialog() Im trying to create a script so i can activate PIM with logon to the azure portal. But for some reason i cant get it to work. Can you all please help me out.
Assigning a Manager with PowerShell Graph – Manager Not Found
Hi everyone, We are currently refactoring our PowerShell scripts to align with Microsoft's recommended standards. In our script that creates new users in Azure Active Directory (AAD) via Microsoft Graph, we’re having trouble assigning a manager to a new user. Whether we try using the manager’s object ID or email address, the manager is not found, and the assignment fails. Has anyone encountered this issue before? Is there something we might be doing wrong in how we’re referencing or assigning the manager? Thanks in advance for your help.A little help please with Get-AzADObject
I am trying to write a PowerShell script that will list the users who hold specified Azure roles into a .csv file for security reviews. I'm new to PowerShell and I'm struggling with this for far too long on my own. Here's what I've got: I keep getting the error: Get-AzADObject: The term 'Get-AzADObject' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. I've already used: Get-Module AzureAD Install-Module AzureAD Import-Module AzureAD With no errors on any of those. What am I missing, please?
Ad-Hoc Entra MFA using SMS
Error : Get MFA Client Access TokenDone. Send MFA challenge to the user Done. OTP sent to your phone. Please enter the OTP: Enter the OTP sent via SMS: 696632 Invoke-RestMethod: C:\Git_Repo\MFA_Test\MFATestWIthKyle\sms.ps1:54:28 Line | 54 | … ionResult = Invoke-RestMethod -Uri 'https://strongauthenticationservi … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Service BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; | } #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; } A:link { color: #336699; font-weight: bold; | text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color: | #336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px | solid; color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom: | 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family: | Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word; | } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid; | border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid; | border-bottom: 2px white solid; background-color: #e5e5cc;} Service Endpoint not found. WARNING: Invalid OTP or validation failed. Below line causing the error $mfaValidationResult = Invoke-RestMethod -Uri 'https://strongauthenticationservice.auth.microsoft.com/StrongAuthenticationService.svc/Connector//ValidatePin' -Method POST -Headers $Headers -Body $XML -ContentType 'application/xml'
