PowerShell – script to reset user password in AAD and AD then force sign out from Office 365 services

The only purpose of this script is to act as fast as possible when dealing with a successful phishing attack where one of your users got compromised. You can perform all the steps below one by one using UI but it takes more time which must not be wasted in such a case.

So, here are actions the script does:

  • Creates a new random password (you can play with how your temp password should look like). Your user will be forced to change it.
  • Resets a password in the cloud / Office 365.
  • Optionally resets a password in your on-premise AD (if your accounts are synced with Active Directory)
  • Terminates all active Office 365 sessions (Invalidates the refresh tokens issued to applications for a user per Microsoft).

In order to reset passwords in AD the script must “Run As” an account that can edit AD. If you are remote, you must have network access to your on-premise AD.

Don’t forget to replace @contoso.com with your own domain.

Do {
        $email = Read-host "Provide a user email for a password reset"
        $mailbox = get-mailbox -Identity $email -ErrorAction SilentlyContinue
}
Until (($email -match '\w+@contoso.com') -and ($mailbox -ne $null))


$newpassword = [char](Get-Random -Minimum 65 -Maximum 90) + [char](Get-Random -Minimum 97 -Maximum 122) + [char](Get-Random -Minimum 97 -Maximum 122) + (get-date -Format "MMddyy")

If ($mailbox.IsDirSynced -eq $true) {

    Write-host `n"Changing password for the Cloud account - " -NoNewline
    Set-MsolUserPassword -UserPrincipalName $email -NewPassword $newpassword -ForceChangePassword $false | Out-Null
    Write-host "OK" -ForegroundColor Green
    
    Write-host "Changing password for the AD account - " -NoNewline
    Set-ADAccountPassword -Identity $mailbox.PrimarySmtpAddress.Substring(0,$mailbox.PrimarySmtpAddress.IndexOf("@")) -NewPassword (ConvertTo-SecureString -AsPlainText $newpassword -Force) -Reset
    Write-host "OK" -ForegroundColor Green

    Write-host "Forcing to change the password after next logon - " -NoNewline
    Set-ADUser -Identity $mailbox.PrimarySmtpAddress.Substring(0,$mailbox.PrimarySmtpAddress.IndexOf("@")) -ChangePasswordAtLogon $true
    Write-host "OK" -ForegroundColor Green

}

Else {

    Write-host `n"Changing password for the Cloud account - " -NoNewline
    Set-MsolUserPassword -UserPrincipalName $email -NewPassword $newpassword -ForceChangePassword $true | Out-Null
    Write-host "OK" -ForegroundColor Green

}

Write-host "Terminating all active sessions - " -NoNewline
Get-AzureADUser -SearchString $email | Revoke-AzureADUserAllRefreshToken
Write-host "OK" -ForegroundColor Green

$username = $mailbox.DisplayName

Write-host `n"********************************************************"
Write-host "New password for $username (password is case sensitive):"`n
Write-host "$newpassword" -ForegroundColor Green
Write-host "********************************************************"

Remove-Variable * -ErrorAction SilentlyContinue
0

Leave a Reply

Close Menu