Azure / Microsoft Entra ID Password Reset Integration

  • Updated on Mar 10, 2026
  • Published on Mar 10, 2026
  • 2 minute(s) read
Prev Next

This document explains how to deploy and configure the integration required to allow administrative password resets through Microsoft Entra ID (Azure AD) and support federated environments with on-premises Active Directory.

The integration allows our platform to reset user passwords through Microsoft Graph, while maintaining compliance with Microsoft security requirements.

Overview

Our platform integrates with Microsoft Entra ID (Azure AD) using the Microsoft Graph API to perform administrative password resets for users in the customer's tenant.

The reset is performed using the following Graph endpoint:

POST /users/{id}/authentication/methods/{passwordMethodId}/resetPassword

This endpoint:

  • Requires delegated permissions

  • Requires an authenticated administrator

  • Does not support application-only authentication

Prerequisites

  1. Entra IDP integration

Required Roles

The administrator used for the integration must have the following Entra ID roles:

Required

  • Authentication Administrator

Optional (if password resets should include admin users)

  • Privileged Authentication Administrator

Without the second role, the system cannot reset passwords for administrative accounts.

Identity Models for the Integration

There are three supported approaches for authorizing the integration.
The backend implementation remains identical in all cases.

Option 1 - Customer Service Account (Recommended)

The customer creates a dedicated administrative service account for the integration.

Example - imper-password-reset@company.com

Advantages:

  • More stable identity

  • Clear audit trail

  • Easier Conditional Access configuration

Best suited for:

  • Medium and large organizations

  • Long-term integrations

Required Properties:

  • Assign the required roles

  • Disable MFA and password expiration

  • Disable Set password on first login

Option 2 - Vendor B2B Guest Admin

The customer invites a vendor-managed guest administrator into their tenant and assigns the required role.

Advantages:

  • Vendor can manage re-authentication

  • Reduced operational overhead for the customer

Limitations:

  • Higher security scrutiny

  • Conditional Access may restrict guest administrators

  • Not acceptable in some regulated environments

Required Properties:

  • Assign the required roles

  • Disable MFA and password expiration

  • Disable Set password on first login

Azure AD Connect Password Writeback (Hybrid Environments)

If the organization uses Hybrid Identity (Microsoft Entra ID with on-premises Active Directory), password writeback must be enabled.

Enable Password Writeback

  1. Open Microsoft Entra Connect (Azure AD Connect).

  2. Navigate to Optional Features

  3. Enable Password Writeback

This allows passwords reset in Entra ID to be written back to on-premises Active Directory.

Required Permissions for Entra Connect Service Account

The service account used by Microsoft Entra Connect must have the following permissions in Active Directory.

These permissions are normally configured automatically during installation.

Required permissions:

  • Reset password

  • Change password

  • Write permission on lockoutTime

  • Write permission on pwdLastSet

  • Extended rights for Unexpire Password on the root object of each domain

Important notes:

  • These permissions must inherit to all users

  • Administrative accounts do not inherit these permissions by default

If permissions are missing, password writeback may fail with the error:

Writeback Failed: AdminActionRequired

Federated Domain Behavior

A federated domain is a domain where Microsoft Entra ID delegates authentication to an external identity provider.

Common providers include:

  • Active Directory Federation Services (AD FS)

  • Ping Identity

  • Okta

In federated environments:

  1. The helpdesk system resets the password.

  2. The user account is marked as password expired.

  3. The user must complete the password change through the federation provider.

Users can typically update their password through:

  • Local workstation login

  • Remote Desktop / VDI

  • AD FS password update portal

Enabling Password Updates via AD FS

By default, AD FS does not allow users to update their password.

To enable password updates for federated users, specific endpoints must be enabled.

Configuration Steps

  1. Open AD FS Management.

  2. Navigate to Service → Endpoints

  3. Enable the following endpoints and mark both options:

    1. Enabled

    2. Proxy Enabled

Required endpoints:

/adfs/portal/updatepassword
/adfs/.well-known/openid-configuration
/adfs/userinfo
/adfs/services/trust/mex
/adfs/ls/
/adfs/discovery/keys

The /adfs/ls/ endpoint is required for password updates through Microsoft's MyAccount portal.

Restart the AD FS Service

After enabling the endpoints, restart the AD FS service.

PowerShell command:

Restart-Service adfssrv

Expected Result

After completing the configuration:

  • Password resets initiated through the platform will update Microsoft Entra ID

  • In hybrid environments, the password will write back to on-premises Active Directory

  • Federated users will be prompted to complete the password update via AD FS

Related articles