AZ_RESET_PASSWORD

Summary

Description

AZ_RESET_PASSWORD represents the ability for a principal (user, service principal, or group) to reset another user’s password in Microsoft Entra ID.

Resetting a password grants the actor full access to the target user’s account, allowing them to:

• Sign in as the user using the new password.

• Access all cloud resources the user can access (Azure, M365, SaaS apps).

• Perform privileged operations as the target if the user has admin rights.

• In hybrid environments with password write-back enabled, reset the on-prem Active Directory password as well - enabling full compromise of on-prem infrastructure.

Because password reset = account takeover, AZ_RESET_PASSWORD is one of the most sensitive capabilities in Entra ID.

Identification

PowerShell (Microsoft Graph)

List users who can reset passwords by directory role:

Azure CLI

PowerShell:

Relevant role template IDs:

Anyone assigned (directly or via group) to these roles effectively has AZ_RESET_PASSWORD.

Azure GUI

1. Directory roles whose members can reset passwords

   1. Open Microsoft Entra admin center.

   2. Go to Identity -> Roles & administrators.

   3. Locate these roles:

      • Global Administrator (GA)

      • Privileged Authentication Administrator (PRA)

      • Authentication Administrator

      • User Administrator

      • Password Administrator / Helpdesk Administrator

      • Partner Tier1 Support

      • Partner Tier2 Support

   4. Click each -> Assignments:

      • Any assigned user, service principal, or group can reset passwords.

      • If a group is assigned, enumerate all transitive members.

2. Per-user confirmation

   1. Open Identity -> Users.

   2. Select a target user.

   3. If Reset password is enabled, your identity has AZ_RESET_PASSWORD over that user.

Exploitation

PowerShell (Microsoft Graph)

Azure GUI

1. Open Microsoft Entra admin center -> Identity -> Users

2. Select the target user

3. Click Reset password

4. Generate a new password or receive the automatically created temporary password

You can now sign in as that user (subject to MFA).

Mitigation

1. Limit directory roles that can reset passwords

   1. Open Microsoft Entra admin center -> Roles & administrators

   2. Review assignments for:

      • Global Administrator

      • Privileged Authentication Administrator

      • Authentication Administrator

      • User Administrator

      • Password Administrator / Helpdesk Administrator

      • Partner Tier1 Support

      • Partner Tier2 Support

   3. Remove permissions where not required

      -> select assignment -> Remove assignment

   4. For roles assigned to groups:

      • Ensure group membership is tightly controlled

      • Avoid broad groups like “All IT”

2. Harden password reset & hybrid flows

   1. Go to Identity -> Protection -> Password reset

   2. Restrict SSPR to specific groups, not all users

   3. Require strong authentication methods for resets

   4. If password write-back is enabled:

      • Ensure only required identities can reset hybrid passwords

      • Regularly review privileged hybrid accounts

Detection

Detect "Reset password" directly in Audit logs.

• Go to Microsoft Entra ID -> Audit logs.

• Filter by Activity: Reset password or Reset user password.

• Filter by Category: UserManagement.

• Review Initiated by (actor) and Target columns.

PowerShell (Microsoft Graph)

References

• https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

• https://learn.microsoft.com/en-us/entra/identity/users/users-reset-password-azure-portal

• https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs