Update-EntraUserFromFederated
Updates a user in a domain that was recently converted from single sign-on (also known as identity federation) to standard authentication type.
Syntax
CloudOnlyPasswordScenarios (Default)
Update-EntraUserFromFederated
-UserPrincipalName <String>
[<CommonParameters>]
HybridPasswordScenarios
Update-EntraUserFromFederated
-UserPrincipalName <String>
-NewPassword <SecureString>
[<CommonParameters>]
Description
The Update-EntraUserFromFederated cmdlet is used to update a user in a domain that was recently converted from single sign-on (also known as identity federation) to standard authentication type. A new password must be provided for the user.
This process updates the password in Microsoft Entra ID and, if password writeback is enabled, syncs it to on-premises Active Directory. The admin can set a new password or let the system generate one. The user must change it at next sign-in.
In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or a custom role with the required permissions. The least privileged roles for this operation are:
- Authentication Administrator
- Privileged Authentication Administrator
For delegated scenarios, the administrator needs at least the Authentication Administrator or Privileged Authentication Administrator Microsoft Entra role.
Admins with User Administrator, Helpdesk Administrator, or Password Administrator roles can reset passwords for nonadmin users.
The new password is required for hybrid password setups. If omitted for cloud-only passwords, a system-generated password is returned. It’s a Unicode string, validated against the tenant's banned password list, and must meet cloud and/or on-premises password policies.
Examples
Example 1: Update a user in a domain
Connect-Entra -Scopes 'UserAuthenticationMethod.ReadWrite.All'
Update-EntraUserFromFederated -UserPrincipalName 'pattifuller@contoso.com'
Name Value
---- -----
newPassword HuHu8765
@odata.context https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordResetResponse
This command updates a user in a domain. The system generates and returns a password.
-UserPrincipalNameparameter specifies the Microsoft Entra ID UserID for the user to convert.
Example 2: Update user password in a domain
Connect-Entra -Scopes 'UserAuthenticationMethod.ReadWrite.All'
$newPassword = '<strong-password>'
$securePassword = ConvertTo-SecureString $newPassword -AsPlainText -Force
Update-EntraUserFromFederated -UserPrincipalName 'pattifuller@contoso.com' -NewPassword $securePassword
This command updates a user in a domain by supplying a password for hybrid scenarios.
-UserPrincipalNameparameter specifies the Microsoft Entra ID UserID for the user to convert.-NewPasswordparameter specifies the new password of the user.
Parameters
-NewPassword
The new password of the user.
For tenants using hybrid password scenarios, specifying a new password is required. If you omit the password for a cloud-only account, the system generates one automatically. This generated password is a Unicode string without other encoding. Before acceptance, the password is validated against the tenant's banned password list and must meet the tenant's cloud and/or on-premises password requirements.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | 2 |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-UserPrincipalName
The Microsoft Entra ID UserID for the user to convert.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | UserId, Identity, UPN, ObjectId |
Parameter sets
(All)
| Position: | 1 |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Notes
- For more information, see resetPassword.