Skip to content

🪲 Set-EntraUserPasswordProfile always forces password change at next sign-in #1581

New issue
New issue
Open
Open
🪲 Set-EntraUserPasswordProfile always forces password change at next sign-in#1581
Labels
ToTriage
@kosukeuo

Description

@kosukeuo
kosukeuo
opened on Jan 8, 2026

Describe the bug

When changing a user's password using Set-EntraUserPasswordProfile, the forceChangePasswordNextSignIn property is automatically set to true, even if the -ForceChangePasswordNextSignIn parameter is omitted.

The current cmdlet design does not allow users to explicitly specify $true or $false for this parameter (it behaves as a simple switch). As a result, there is no way to update a password via this cmdlet without forcing the user to change it at the next sign-in.

This behavior likely originates from the Microsoft Graph API's default behavior, where omitting the forceChangePasswordNextSignIn property in the request payload defaults it to true.

Reference: Set-EntraUserPasswordProfile
https://learn.microsoft.com/en-us/powershell/module/microsoft.entra.users/set-entrauserpasswordprofile?view=entra-powershell#examples

Reference: passwordProfile resource type
https://learn.microsoft.com/en-us/graph/api/resources/passwordprofile?view=graph-rest-1.0

To Reproduce

Steps to reproduce the behavior:

  1. Connect to Microsoft Entra
Connect-Entra -Scopes 'Directory.AccessAsUser.All'
  1. Change a user's password without the force switch
$newPassword = '<strong-password>'
$securePassword = ConvertTo-SecureString $newPassword -AsPlainText -Force
Set-EntraUserPasswordProfile -UserId 'SawyerM@contoso.com' -Password $securePassword
  1. Verify the property
(Get-EntraUser -UserId 'SawyerM@contoso.com').PasswordProfile.ForceChangePasswordNextSignIn
  1. Result
    The property is set to True, despite not being specified in the command.
Image

Expected behavior

One of the following is expected:

  1. If -ForceChangePasswordNextSignIn is omitted, the value should default to false
  2. Set-EntraUserPasswordProfile should be updated to accept a boolean value for -ForceChangePasswordNextSignIn to allow explicit control.

Current Workaround

We currently have to use Set-EntraUser to explicitly set the value to $false:

Set-EntraUser -UserId '<Object-ID>' -PasswordProfile @{
    Password = 'ComplexPassword123!'
    ForceChangePasswordNextSignIn = $false
}

Debug Output

⚠ ATTENTION: Be sure to remove any sensitive information that may be in the logs.

Debug Output

Module Version

# Please paste your result here
 Get-InstalledModule -Name Microsoft.Entra

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
1.1.0                Microsoft.Entra                     PSGallery            Microsoft Entra PowerShell v1.0: Microsoft Entra PowerShell ...

Environment Data

# Please paste your result here

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    ToTriage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions