Powershell script for Microsoft Entra to reset the password in AD account user after 14 days

Question

Please asking for your help on how to create a script in a powershell to reset the password of the AD users (Microsoft Entra) after in the 14days.

Thank you in advance

Answer 1

Hello @JYLVEN TARRAJA

Thanks for using Q & A forum.

A script that automatically resets passwords for user accounts in an Active Directory environment after a specified time period. This often involves using PowerShell cmdlets to interact with Active Directory and schedule the script execution.

1. Microsoft Graph API: Utilize the Microsoft Graph API to retrieve user information and password information from Microsoft Entra ID. This allows programmatic access to user accounts.
2. PowerShell cmdlets: Employ PowerShell cmdlets for interacting with Active Directory (AD) to reset the password of the corresponding on-premises AD account. This requires a connection to your on-premises AD environment.
3. Scheduled Task: Create a scheduled task in Windows to run the PowerShell script automatically every 14 days. This ensures the password reset happens regularly.

Step 1: Connect to Microsoft Graph and Active Directory

This step establishes connections to both Microsoft Entra ID (using Microsoft Graph) and your on-premises Active Directory. You'll need appropriate application registrations and credentials for both.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All, Directory.Read.All" # Adjust scopes as needed

# Connect to Active Directory
$cred = Get-Credential
Import-Module ActiveDirectory
Connect-ADAccount -Credential $cred

Step 2: Retrieve Users from Microsoft Entra ID

This step retrieves a list of users from Microsoft Entra ID. You might need to filter this based on specific criteria (e.g., last password change date). This example retrieves all users. Adapt the filter to target only the users you want to manage.

$users = Get-MgUser -Filter "accountEnabled eq true" # Filter as needed

Step 3: Check Password Last Changed Date and Reset if Necessary

This step iterates through the retrieved users, checks the passwordProfile.passwordLastChangedDateTime property (from Microsoft Graph), and resets the password in Active Directory if it's older than 14 days. Replace "yourADDomain" with your actual domain.

foreach ($user in $users) {
  $lastChanged = $user.passwordProfile.passwordLastChangedDateTime
  $daysSinceChange = New-TimeSpan -Start $lastChanged -End (Get-Date)
  if ($daysSinceChange.Days -ge 14) {
    try {
      # Find the corresponding AD user
      $adUser = Get-ADUser -Filter "UserPrincipalName -eq '$($user.userPrincipalName)'" -Properties SamAccountName
      if ($adUser) {
        # Reset the password in AD.  Replace "NewPassword123!" with a more robust password generation method.
        Set-ADAccountPassword -Identity $adUser.SamAccountName -NewPassword "NewPassword123!"
        Write-Host "Password for $($user.userPrincipalName) reset successfully."
      } else {
        Write-Warning "AD user not found for $($user.userPrincipalName)"
      }
    }
    catch {
      Write-Error "Error resetting password for $($user.userPrincipalName): $($_.Exception.Message)"
    }
  }
}

Step 4: Schedule the Script

Create a scheduled task in Windows Task Scheduler to run this script every 14 days. Configure the trigger to run daily and add a condition to check the day of the week or month to ensure it runs only every 14 days.

---

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.