How to track password changes by admins in Microsoft Entra ID
In Microsoft Entra ID (formerly Azure Active Directory), tracking changes made by admins is crucial to maintain a secure and compliant environment. One of the key activities to keep an eye on is password changes made by admins. While most password changes are legitimate, not all of them may be. Tracking suspicious password changes, especially those made beyond business hours, could help detect potential threat actors within your organization. Cybercriminals can gain unauthorized access to admin accounts and lock out other users by changing their credentials. They can also copy or modify data, compromising the security and privacy of your users in Microsoft Entra ID.
Identifying password changes by admins using Microsoft Entra ID and M365 Manager Plus
Identifying password changes by admins using the native Microsoft Entra admin center is time-consuming, as admins must specify the relevant filters each time. Additionally, admins are restricted to exporting the report to either CSV or JSON format.
ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can also be used to identify password changes by admins in Microsoft Entra ID.
The table below provides a comparison on how to identify password changes by admins using Microsoft Entra ID and M365 Manager Plus.
Microsoft Entra ID
Steps to identify password changes by admins in Microsoft Entra ID using Windows PowerShell
- Log in to the Microsoft Entra admin center with at least a User Administrator account.
- Navigate to Identity > Users > All Users.
- Click Audit logs in the side pane to view every logged event in Microsoft Entra ID.
- Click the Activity filter.
- Select Reset password (by admin).
- Click Apply.
Note: You cannot save the filter configurations for reports that you generate in Microsoft Entra ID, and they can only be exported in CSV and JSON formats.
M365 Manager Plus
Steps to identify password changes by admins in Microsoft Entra ID using M365 Manager Plus
- Log in to M365 Manager Plus and navigate to the Reports tab > Azure Active Directory > Other Azure Reports > Azure AD Audit Logs > Azure AD User Audit Logs.
- Fill in the Microsoft 365 Tenant, the Domains, and the Period in which you want the login activity details, and click Generate Now.
- Click the icon. From the first drop-down, click Activity Display Name, and from the second drop-down, click Contains. In the third field, enter admin, and click Filter to verify your results.
- If you wish to save this filtered report as a separate report, click Save as new report, provide a Report Name and Description, and click Save. You can find this report under My Reports > Custom Reports whenever you wish to generate it.
Note: Self-service password resets can also be tracked by filtering for the Reset password (self-service) activity in Microsoft Entra ID or by using the Recently Password Reset Users (Self-Service) report in M365 Manager Plus. Click here to learn more.
Create alerts for password changes by admins in Microsoft Entra ID using M365 Manager Plus
Both Microsoft Entra ID and M365 Manager Plus are capable of generating audit reports. While Microsoft 365 provides audit reports on password changes by admins, it won't alert you when an admin changes a user password.
M365 Manager Plus tackles this problem with custom alert profiles that can email you alerts as soon as your threshold is crossed. You can set alerts for untimely hours or unusual frequencies by following the steps mentioned below:
- Log in to M365 Manager Plus, navigate to Settings > Audit Configuration > Alert Profiles, and click Add Profile.
- Type in a Profile Name and Description for your audit profile.
- Select Azure Active Directory as your Microsoft 365 Service, choose Azure AD password as your Category, and select Reset user password under Actions.
- Assign the Severity based on how crucial this alert is.
- Configure an alert message using Macros to use specific variables in your alert message.
- Expand Advanced Configuration and check the Email every alert corresponding to this profile box to receive email alerts.
- In the Filter Settings tab, you can configure an Alerts Threshold to alert you when a certain event occurs above a certain frequency. Use the Business Hours Filter to monitor for any alerts outside of working hours and the Filter By Column option to format the report data you will receive in your alerts.
- Click Add to finish configuring alerts for password changes by admins in Microsoft Entra ID.
Limitations of using native tools to track password changes by admins in Microsoft Entra ID
- Reports have to be filtered every time they are generated, and the filters cannot be saved, which can become tedious if a filter is required to generate data that you require frequently.
- Administrators need to have the Reports Reader role assigned to them for viewing the audit logs in Microsoft Entra ID.
- Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
- There is no option to create an alert whenever an admin changes a user password.
Benefits of using M365 Manager Plus to track password changes by admins in Microsoft Entra ID
- Effortlessly create, save, and schedule custom reports with the filters of your choice. This helps you save precious business hours, as you can instantly fetch data for only the parameters you require instead of sifting through heaps of unorganized data.
- Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
- Export the generated reports to CSV, PDF, XLSX, and HTML formats.
- Create and customize alert profiles that can email you alerts whenever an admin changes a user password in your environment.
- Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.
- Keep tabs on even the most granular user activities in your Microsoft 365 environment.
- Manage users, mailboxes, groups, sites, and contacts effortlessly and in bulk without PowerShell scripting.
- Monitor the health and performance of Microsoft 365 features and endpoints around the clock.
Effortlessly schedule and export reports on your Microsoft 365 environment.
Try now for free