How to Add a User in the Microsoft 365 Admin Center
Step-by-step guide to creating a user account in the Microsoft 365 admin center, including domain selection, password options, license assignment, and PowerShell.
How to Reset a User Password in Microsoft 365
TL;DR: In the Microsoft 365 admin center, go to Users > Active users, pick the user, select Reset password. Choose auto-generate or set your own, leave Require this user to change their password when they first sign in checked, and hand off the credentials securely. As of August 2024, Microsoft removed in-product email of credentials — print to PDF and share through a secure channel.
Forgotten passwords are one of the most common helpdesk tickets. This guide covers the manual reset, the bulk reset for up to 40 users at once, and how to set up self-service password reset (SSPR) so users can do this themselves.
What this does
Resetting a password in the Microsoft 365 admin center writes a new password to the user’s Microsoft Entra ID account. The optional Require this user to change their password when they first sign in flag forces the user to set a new password the next time they authenticate, which is the right default — you never have to know the long-term password.
Resetting the password does not sign the user out of existing sessions. Tokens issued before the reset stay valid until they expire (typically up to an hour). For account compromises or terminations, follow the reset with Sign out of all sessions to revoke tokens immediately.
When you’d want this
- A user forgot their password and you don’t have SSPR enabled
- An employee left and you need to lock the account before deletion
- An account compromise — reset the password, sign out all sessions, then investigate
- The user got phished and needs to be back in quickly
Steps
Reset a single user’s password
- Sign in to the Microsoft 365 admin center at https://admin.microsoft.com as a Password Administrator (or higher — User Administrator works too).
- Go to Users > Active users.
- Select the user’s row.
- Select Reset password (top of the page or in the user’s flyout pane).
- On the Reset password flyout:
- Leave Automatically create a password checked unless you have a reason to set it yourself.
- Leave Require this user to change their password when they first sign in checked.
- Select Reset password.
- On the confirmation screen, select Print to save the credentials as a PDF, then deliver them through a secure channel (in-person, password manager share, encrypted message).
Microsoft removed the in-product “email this password” feature on August 30, 2024 for security reasons. Plain-text password emails were never a good idea; now the admin center won’t send them at all.
Sign the user out of all sessions
If you’re resetting because of a compromise or termination, also revoke existing tokens:
- From Users > Active users, select the user.
- On the Account tab in the flyout, select Sign out of all sessions.
The user is prompted to sign in again within an hour (whenever their current access token expires). For an immediate revocation via PowerShell:
Connect-MgGraph -Scopes "User.RevokeSessions.All"
Revoke-MgUserSignInSession -UserId "jakob@contoso.com"
Reset up to 40 users at once
For a larger reset window — say, after a phishing campaign:
- From Users > Active users, select the checkboxes for the users (or the header checkbox to select everyone, then unselect yourself — you can’t reset your own password in the same batch).
- Select Reset password at the top.
- Choose Automatically create a password and Require change on first sign-in.
- Select Reset password, then Print the resulting list of new credentials. Treat it as sensitive.
Reset for a Global Administrator
Global Administrators can reset other Global Administrators’ passwords — but if you’re the only Global Admin and you’ve forgotten yours, you have two options:
- Use Forgot password at the sign-in screen if you have a backup phone or alternate email recorded on the account
- Open a Microsoft support ticket — they can verify ownership and reset
This is exactly why you should always have at least two Global Administrator accounts (or one Global Admin plus one Privileged Authentication Administrator).
Self-service password reset (better than this)
For organizations larger than a handful of users, self-service password reset (SSPR) dramatically cuts helpdesk volume. Microsoft includes it free with all Microsoft 365 plans for cloud-only password resets; on-premises writeback requires Microsoft Entra ID P1.
To enable it:
- In the Microsoft 365 admin center, go to Settings > Org settings > Security & privacy.
- Select Self-service password reset.
- Select Go to the Azure portal to turn on self-service password reset (this opens the Microsoft Entra admin center).
- On the Password reset > Properties page, choose All users, or Selected with a target group.
- Select Save.
- Configure authentication methods on the Authentication methods blade — typically Microsoft Authenticator, SMS, and a backup email.
Users register at https://aka.ms/ssprsetup on first prompt and reset at https://passwordreset.microsoftonline.com when they’re locked out.
PowerShell equivalent
For scripted resets, use Microsoft Graph PowerShell:
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
$password = @{
Password = "TempReset!ChangeMeNow123"
ForceChangePasswordNextSignIn = $true
}
Update-MgUser `
-UserId "jakob@contoso.com" `
-PasswordProfile $password
# Then revoke existing sessions
Revoke-MgUserSignInSession -UserId "jakob@contoso.com"
Notes and gotchas
- Synced (hybrid) accounts: if your tenant runs Microsoft Entra Connect, password resets in the admin center may not stick — you should reset in on-premises Active Directory and let it sync. To reset cloud passwords for hybrid users, you need password writeback enabled (Microsoft Entra ID P1 or higher).
- Outlook on the web sticks around: even after sign-out, an OWA tab the user already has open will keep working until they navigate away or refresh. Don’t rely on sign-out alone for active mailbox kicks; consider a password reset plus blocking sign-in.
- Don’t email credentials in plain text. Print to PDF and use a secure channel — in-person, an encrypted password manager share, or a Teams chat (where messages are end-to-end encrypted with the right policy).
- Permissions: the Password Administrator role can reset most users’ passwords but cannot reset privileged admins. To reset a Global Admin’s password, you need the Privileged Authentication Administrator role.
Related guides
Microsoft 365 Admin Roles Explained: Global, User, Exchange, and More
Plain-English overview of the most-used Microsoft 365 admin roles, what each can do, when to use them, and the principle of least privilege in practice.