Security Focus: Update Azure AD Admin Account Password

  • Article

Got to love this cmdlet - Update-AzureADSignedInUserPassword ! I use it to update admin credentials on Azure AD instances that I only occasionally use. This avoids expiry aches and pains.
 

Want to take a look? First up, go get yourself a copy of the AzureAD module from PSGallery...

 
Find-Module -Name AzureAD

Install-Module -Name AzureAD -Verbose

 

Now, I call my little function.

 
function Update-AzureADAdminPassword {

    $Cred = Get-Credential

    Add-Type -AssemblyName System.Web

    $ComplexPassword = [System.Web.Security.Membership]::GeneratePassword(30,5)

    $NewPassword = $ComplexPassword | ConvertTo-SecureString -AsPlainText -Force

    (Connect-AzureAD -Credential $Cred).Account.Id

    Update-AzureADSignedInUserPassword -CurrentPassword $Cred.Password -NewPassword $NewPassword

    $ComplexPassword

}

 

What's going on in the function?

  • Get-Credential collects the credential used to connect to the Azure AD instance.
  • The GeneratePassword static method of [System.Web.Security.Membership] is used to generate a complex 30 character password, which is then converted to a secure string.
  • Connect to AzureAD.
  • Run the Update-AzureADSignedInUserPassword cmdlet referencing the old password and the new password.

 

The user account and new password are written back to the host and there's the added advantage of leaving me connected to the AAD instance.
 
Does this little trick work when the user is configured for Multi Factor Authentication? Sadly not. However, the function can be adapted to run once you've connected to Azure AD interactively, i.e. run Connect-AzureAD from the host and negotiate MFA.

 
function Update-AzureADAdminPassword {

    Add-Type -AssemblyName System.Web

    $ComplexPassword = [System.Web.Security.Membership]::GeneratePassword(30,5)

    $NewPassword = $ComplexPassword | ConvertTo-SecureString -AsPlainText -Force

    Update-AzureADSignedInUserPassword -NewPassword $NewPassword

    $ComplexPassword

}

 
Should you enable MFA on your production AAD admin accounts? Indubitably.

Next week, back to the MSOnline module to enable / disable MFA.