Track Admin-Initiated Password Resets Using Graph PowerShell
When an administrator resets a user’s password in Microsoft 365, it often signals one of two things:
- A standard onboarding or account recovery step
- A potential security incident that requires manual credential intervention
Such actions are logged under the “UserManagement” category in Azure AD’s audit logs with the activity “Reset user password.”
This article provides a ready-to-use Graph PowerShell script that extracts these audit entries and shows when the reset occurred, for whom, who performed it, and whether it succeeded.
The Script: Querying “Reset user password” Events
# Connect to Microsoft Graph with required permission
Connect-MgGraph -Scopes "AuditLog.Read.All"
# Define UTC start date (last 7 days)
$startTime = (Get-Date).AddDays(-7).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
# Create the filter for "Reset user password" event in UserManagement category
$filter = "category eq 'UserManagement' and activityDisplayName eq 'Reset user password' and activityDateTime ge $startTime"
# Fetch the audit logs
$logs = Get-MgAuditLogDirectoryAudit -Filter $filter -All
# Parse and format the output
$output = foreach ($log in $logs) {
$targetUser = ($log.targetResources | Select-Object -First 1).userPrincipalName
$adminUser = $log.initiatedBy.user.userPrincipalName
[PSCustomObject]@{
"Reset Time" = $log.activityDateTime
"Reset User Account (UPN)"= $targetUser
"Reset By (Admin UPN)" = $adminUser
"Result Status" = $log.result
}
}
# Display the results
if ($output) {
$output | Format-Table -AutoSize
} else {
Write-Host "No 'Reset user password' events found in the last 7 days." -ForegroundColor Yellow
}
How the Script Works
- Authentication
- Filtering Events
- category eq 'UserManagement'
- activityDisplayName eq 'Reset user password'
- activityDateTime ge [last 7 days]
- Parsing and Output
- The user whose password was reset
- The admin who performed the reset
- The timestamp and operation result
The script starts by connecting to Microsoft Graph using:
Connect-MgGraph -Scopes "AuditLog.Read.All"This scope is required to access Azure AD audit logs.
The core filter looks for logs that match:
These ensure you're only pulling the relevant events and keeping the dataset recent and manageable.
Each matching event contains:
These are collected into a custom object and displayed in a structured table using Format-Table.
Further Enhancements
- Export to CSV
$output | Export-Csv -Path "AdminPasswordResets.csv" -NoTypeInformation$output | Where-Object { $_."Reset By (Admin UPN)" -eq "admin@domain.com" }For example, to query the last 30 days:
$startTime = (Get-Date).AddDays(-30).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")Send alerts when password resets occur outside business hours using PowerShell logic and email/Teams webhook.
Possible Errors & Solutions
| Error | Cause | Solution |
| Invalid filter clause | Incorrect or overly precise DateTime | Ensure it's in strict UTC ISO format like 2025-05-10T13:22:00Z |
| Access Denied | Insufficient permissions | Grant the user or app the AuditLog.Read.All permission and consent |
| No parameter found | Using unsupported Graph SDK switches | Stick to supported parameters like -Filter and -All; avoid -ConsistencyLevel, etc. |
Use Cases
- Helpdesk Oversight: Ensure only authorized admins are performing password resets.
- Security Auditing: Spot unusual reset patterns that could indicate insider threats or account compromise.
- Compliance Reporting: Document when and how user credentials were modified.
- Onboarding Validation: Confirm that new users are having their passwords set securely.
Conclusion
Tracking admin-initiated password resets is a vital security and compliance task. With Microsoft Graph PowerShell, you can access this data in real-time, automate your reporting, and integrate these insights into your security monitoring or onboarding workflows.
This script gives you full visibility into who is resetting passwords — when, for whom, and with what result — in just a few lines of code.