Hey everyone,
I'm managing an Entra CIAM tenant with about 200 users whose email addresses come from various different domains, like Hotmail. Most of these users aren't very tech-savvy, some even using flip phones for texting only.
I'm looking to reset their passwords directly from our internal website which they use to log in. My plan is to create a new password for them, reset it, and then let them know the new password in person so they can log in.
However, whenever I try, I get a 403 insufficient permissions error. I've already set the Microsoft Graph.User.ReadWrite.All application permission with admin consent, but it's still not working.
Is it possible to reset passwords for users with non-company email domains in Entra? I'm assuming their email and password combo is stored in our tenant, right?
4 Answers
If you can visit them in person, I’d recommend setting them up with corporate accounts instead. It makes management a lot easier and you'd have full control over their passwords.
You could use a password reset URL specifically for their email domain, like for Gmail or Hotmail. Just guide them to open that reset page, but ultimately, it's on them to follow through with it.
It really depends on their account type. If these users are part of an external identity provider you manage, then yes, you can reset their passwords. However, if they're guest users linked to Google or Microsoft accounts, then unfortunately you can’t reset their passwords.
If these users are guest accounts in your tenant, then their passwords are managed wherever their original accounts come from. So, in that case, you wouldn't be able to reset their passwords as you would for standard users.
So, regarding your situation, since these users are indeed in your Entra external identity management, you should theoretically be able to set their passwords. To troubleshoot the insufficient permissions, double-check if the application permissions are properly set and if there are any potential API restrictions.