In this easy Ask the Admin, I’ll show you how to reset passwords for Azure Active Directory (AAD) user accounts and set passwords to never expire.
I recently discovered that a task I’d set up using Azure Automation was failing to run, which was something of an expensive mistake on my part, as lab VMs I thought were being shutdown automatically at the end of the day, but had been left running. I only discovered the issue on receiving my monthly billing statement from Microsoft, and naturally as the VMs in the subscription are not mission critical, there’s no monitoring in place that would have alerted me.
For more information on setting up automation, see How to Use Microsoft Azure Automation on the Petri IT Knowledgebase, which includes information about how to create a runbook to shutdown VMs.
On further investigation in the task’s log, I saw that the automation engine wasn’t able to authenticate using the AAD account that I’d specified via the credential asset because the password had expired. The Azure management portal doesn’t allow you to reset AAD user passwords or set the password never expires flag, although if your AAD is associated with an Office 365 subscription, it is possible to perform these tasks using the Office 365 admin portal.
Another way around this is to log in to the management portal itself using the account, and you’ll be prompted to change the user’s password. But the easiest way to solve this problem is to use PowerShell.
Before starting, make sure that Microsoft Online Service Sign-in Assistant for IT Professionals RTW and either Azure Active Directory Module for Windows PowerShell (32-bit version) or Azure Active Directory Module for Windows PowerShell (64-bit version) are installed on your management PC. For more information on configuring PowerShell to manage AAD, see How to Install the Windows PowerShell Cmdlets for Windows Azure AD and Office 365 on the Petri IT Knowledgebase.
Now open a PowerShell prompt by switching to the Start menu, type powershell and then click Windows PowerShell in the search results. In the PowerShell console, type Connect-MSOLService and press ENTER. In the pop-up window, enter the username and password for an account that as administrator privileges in AAD and click OK.
To see which users in AAD have their passwords set to never expire, run the command below:
My Azure automation credential asset uses the automation2 AAD account, so I need to set the password to never expire, and then reset it. Use the Set-MSOLUser cmdlet as shown here, replacing the username in the –UserPrincipalName parameter as required:
If you run the Get-MSOLUser cmdlet again as shown above, you'll see the password for the account specified in the Set-MSOLUser cmdlet is now set to never expire (True).
Reset a User’s PasswordTo reset the account password, use the Set-MSOLUserPassword cmdlet as shown below, replacing ****** with the desired password, making sure it meets any password policy requirements that you have configured:
If the new password is set correctly, it will be displayed in the PowerShell console window.