AZ_RESET_PASSWORD

Summary

FSProtect ACL Alias

AZ_RESET_PASSWORD

Azure Alias

Reset user passwords

Affected Object Types

AZ Users

Exploitation Certainty

Certain

Graph Permission / Role

Global Administrator, Privileged Authentication Administrator, Authentication Administrator, User Administrator, Password Administrator / Helpdesk Administrator, Partner Tier1 Support, Partner Tier2 Support.

Description

AZ_RESET_PASSWORD represents the ability for a principal (user, service principal, or group) to reset another user’s password in Microsoft Entra ID.

Resetting a password grants the actor full access to the target user’s account, allowing them to:

Sign in as the user using the new password.
Access all cloud resources the user can access (Azure, M365, SaaS apps).
Perform privileged operations as the target if the user has admin rights.
In hybrid environments with password write-back enabled, reset the on-prem Active Directory password as well — enabling full compromise of on-prem infrastructure.

Because password reset = account takeover, AZ_RESET_PASSWORD is one of the most sensitive capabilities in Entra ID.

Identification

PowerShell

You can identify AZ_RESET_PASSWORD permission on azure with these scripts

Get-PasswordResetCapableUsersByRoles.ps1

function Expand-GroupUsers {
    param([string]$GroupId)
    $seenGroups = New-Object System.Collections.Generic.HashSet[string]
    $seenUsers  = New-Object System.Collections.Generic.HashSet[string]
    $users = @()
    $q = New-Object System.Collections.Generic.Queue[object]
    $null = $seenGroups.Add($GroupId)
    $q.Enqueue($GroupId)
    while($q.Count -gt 0){
        $gid = $q.Dequeue()
        try{ $members = Get-AzureADGroupMember -All $true -ObjectId $gid }catch{ continue }
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){
                if($seenUsers.Add($m.ObjectId)){ $users += $m }
            }elseif($m.ObjectType -eq 'Group'){
                if($seenGroups.Add($m.ObjectId)){ $q.Enqueue($m.ObjectId) }
            }
        }
    }
    $users
}

function Get-PasswordResetCapableUsersByRoles {
    # Roles capable of resetting passwords
    $roles = @(
        'Global Administrator',
        'Privileged Authentication Administrator',
        'Authentication Administrator',
        'User Administrator',
        'Password Administrator',
        'Helpdesk Administrator',
        'Partner Tier1 Support',
        'Partner Tier2 Support'
    )

    $activeRoles = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -in $roles }
    $roleUsers = @{}

    foreach($r in $activeRoles){
        $members = @(Get-AzureADDirectoryRoleMember -ObjectId $r.ObjectId)
        $u = @()
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){ $u += $m }
            elseif($m.ObjectType -eq 'Group'){ $u += Expand-GroupUsers -GroupId $m.ObjectId }
        }
        $uniq = $u | Group-Object ObjectId | ForEach-Object { $_.Group[0] }
        $roleUsers[$r.DisplayName] = $uniq
    }

    $rows = @()
    foreach($rn in $roleUsers.Keys){
        foreach($u in $roleUsers[$rn]){
            $upn = if($u.PSObject.Properties.Name -contains 'UserPrincipalName'){ $u.UserPrincipalName } else { '' }
            $rows += [pscustomobject]@{
                Role = $rn
                UserDisplayName = $u.DisplayName
                UserPrincipalName = $upn
                UserId = $u.ObjectId
            }
        }
    }
    $rows
}

Connect-AzureAD
$roleRows = Get-PasswordResetCapableUsersByRoles

"=== USERS WHO CAN RESET OTHER USERS' PASSWORDS (BY DIRECTORY ROLE) ==="
$roleRows | Sort-Object Role,UserDisplayName | Format-Table -AutoSize

Azure CLI

# List all directory roles
az ad role list

# Get a role by display name
az ad role list --query "[?displayName=='User Administrator']"

# List assignments for a role
az ad role assignment list --role <roleId>

Relevant roles:

Global Administrator
Privileged Authentication Administrator
Authentication Administrator
User Administrator
Password Administrator / Helpdesk Administrator
Partner Tier1 Support
Partner Tier2 Support

Anyone assigned (directly or via group) to these roles effectively has AZ_RESET_PASSWORD.

Azure GUI

Directory roles whose members can reset passwords

Open Microsoft Entra admin center.
Go to Identity → Roles & administrators.
Locate these roles:
- Global Administrator (GA)
- Privileged Authentication Administrator (PRA)
- Authentication Administrator
- User Administrator
- Password Administrator / Helpdesk Administrator
- Partner Tier1 Support
- Partner Tier2 Support
Click each → Assignments:
- Any assigned user, service principal, or group can reset passwords.
- If a group is assigned, enumerate all transitive members.

Per-user confirmation

Open Identity → Users.
Select a target user.
If Reset password is enabled, your identity has AZ_RESET_PASSWORD over that user.

Exploitation

Azure GUI

Open Microsoft Entra admin center → Identity → Users.

Select the target user.

Click Reset password.

Generate a new password or receive the automatically created temporary password.

You can now sign in as that user (subject to MFA).

Mitigation

Limit directory roles that can reset passwords

Open Microsoft Entra admin center → Roles & administrators.
Review assignments for:
- Global Administrator
- Privileged Authentication Administrator
- Authentication Administrator
- User Administrator
- Password Administrator / Helpdesk Administrator
- Partner Tier1 Support
- Partner Tier2 Support
Remove permissions where not required:
- Select assignment → Remove assignment
For roles assigned to groups:
- Ensure group membership is tightly controlled
- Avoid broad groups like “All IT”

Harden password reset & hybrid flows

Go to Identity → Protection → Password reset.
Restrict SSPR to specific groups, not all users.
Require strong authentication methods for resets.
If password write-back is enabled:
- Ensure only required identities can reset hybrid passwords.
- Regularly review privileged hybrid accounts.

Detection

Detect “Reset password” directly in Audit logs.

Go to Microsoft Entra ID → Audit logs.
Click Category: All → select GroupManagement → Apply.
If the Activity column is hidden: Manage view → Edit columns → check Activity, Initiated by (actor), Target → Apply.

PreviousAZ_PRIVILEGED_ROLE_ADMIN NextAZ_RUNS_AS

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagDirectory roles whose members can reset passwords

hashtagPer-user confirmation

hashtagExploitation

hashtagAzure GUI

hashtagMitigation

hashtagLimit directory roles that can reset passwords

hashtagHarden password reset & hybrid flows

hashtagDetection

Summary

Description

Identification

PowerShell

Azure CLI

Azure GUI

Directory roles whose members can reset passwords

Per-user confirmation

Exploitation

Azure GUI

Mitigation

Limit directory roles that can reset passwords

Harden password reset & hybrid flows

Detection