How to track password changes by admins in Microsoft Entra ID
In Microsoft Entra ID (formerly Azure Active Directory), tracking changes made by admins is crucial to maintain a secure and compliant environment. One of the key activities to keep an eye on is password changes made by admins. While most password changes are legitimate, not all of them may be. Tracking suspicious password changes, especially those made beyond business hours, could help detect potential threat actors within your organization. Cybercriminals can gain unauthorized access to admin accounts and lock out other users by changing their credentials. They can also copy or modify data, compromising the security and privacy of your users in Microsoft Entra ID.
Identifying password changes by admins using Microsoft Entra ID and M365 Manager Plus
Identifying password changes by admins using the native Microsoft Entra admin center is time-consuming, as admins must specify the relevant filters each time. Additionally, admins are restricted to exporting the report to either CSV or JSON format.
ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can also be used to identify password changes by admins in Microsoft Entra ID.
The table below provides a comparison on how to identify password changes by admins using Microsoft Entra ID and M365 Manager Plus.
M365 Manager Plus
Steps to identify password changes by admins in Microsoft Entra ID using Windows PowerShell
- Log in to the Microsoft Entra admin center with at least a User Administrator account.
- Navigate to Identity > Users > All Users.
- Click Audit logs in the side pane to view every logged event in Microsoft Entra ID.
- Click the Activity filter.
- Select Reset password (by admin).
- Click Apply.
Note: You cannot save the filter configurations for reports that you generate in Microsoft Entra ID, and they can only be exported in CSV and JSON formats.
M365 Manager Plus
Steps to identify password changes by admins in Microsoft Entra ID using M365 Manager Plus
- Log in to M365 Manager Plus and navigate to the Reports tab > Azure Active Directory > Other Azure Reports > Azure AD Audit Logs > Azure AD User Audit Logs.
- Fill in the Microsoft 365 Tenant, the Domains, and the Period in which you want the login activity details, and click Generate Now.
- Click the
icon. From the first drop-down, click Activity Display Name, and from the second drop-down, click Contains. In the third field, enter admin, and click Filter to verify your results.
- If you wish to save this filtered report as a separate report, click Save as new report, provide a Report Name and Description, and click Save. You can find this report under My Reports > Custom Reports whenever you wish to generate it.
Note: Self-service password resets can also be tracked by filtering for the Reset password (self-service) activity in Microsoft Entra ID or by using the Recently Password Reset Users (Self-Service) report in M365 Manager Plus. Click here to learn more.
Create alerts for password changes by admins in Microsoft Entra ID using M365 Manager Plus
Both Microsoft Entra ID and M365 Manager Plus are capable of generating audit reports. While Microsoft 365 provides audit reports on password changes by admins, it won't alert you when an admin changes a user password.
M365 Manager Plus tackles this problem with custom alert profiles that can email you alerts as soon as your threshold is crossed. You can set alerts for untimely hours or unusual frequencies by following the steps mentioned below:
- Log in to M365 Manager Plus, navigate to Settings > Audit Configuration > Alert Profiles, and click Add Profile.
- Type in a Profile Name and Description for your audit profile.
- Select Azure Active Directory as your Microsoft 365 Service, choose Azure AD password as your Category, and select Reset user password under Actions.
- Assign the Severity based on how crucial this alert is.
- Configure an alert message using Macros to use specific variables in your alert message.
- Expand Advanced Configuration and check the Email every alert corresponding to this profile box to receive email alerts.
- In the Filter Settings tab, you can configure an Alerts Threshold to alert you when a certain event occurs above a certain frequency. Use the Business Hours Filter to monitor for any alerts outside of working hours and the Filter By Column option to format the report data you will receive in your alerts.
- Click Add to finish configuring alerts for password changes by admins in Microsoft Entra ID.
Limitations of using native tools to track password changes by admins in Microsoft Entra ID
- Reports have to be filtered every time they are generated, and the filters cannot be saved, which can become tedious if a filter is required to generate data that you require frequently.
- Administrators need to have the Reports Reader role assigned to them for viewing the audit logs in Microsoft Entra ID.
- Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
- There is no option to create an alert whenever an admin changes a user password.
Benefits of using M365 Manager Plus to track password changes by admins in Microsoft Entra ID
- Effortlessly create, save, and schedule custom reports with the filters of your choice. This helps you save precious business hours, as you can instantly fetch data for only the parameters you require instead of sifting through heaps of unorganized data.
- Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
- Export the generated reports to CSV, PDF, XLSX, and HTML formats.
- Create and customize alert profiles that can email you alerts whenever an admin changes a user password in your environment.
- Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.
- Keep tabs on even the most granular user activities in your Microsoft 365 environment.
- Manage users, mailboxes, groups, sites, and contacts effortlessly and in bulk without PowerShell scripting.
- Monitor the health and performance of Microsoft 365 features and endpoints around the clock.
Effortlessly schedule and export reports on your Microsoft 365 environment.
Streamline your Microsoft 365 governance and administration with M365 Manager Plus
Get Your Free TrialRelated Resources
-
Entra ID administration
- How to create custom roles in Microsoft Entra ID
- How to setup SSO in Microsoft Entra ID
- How to configure Conditional Access in Microsoft Entra ID
- What is Microsoft Entra ID?
- What are Microsoft Entra ID administrative units
- How to configure external authentication methods in Microsoft Entra ID
- How to set up self-service group management in Entra ID
- How to takeover unmanaged directory as administrator
- How to change authentication type of subdomain
- What is self-service signup in Entra ID
- Delete a tenant in Microsoft Entra ID
- Manage custom domain names in Microsoft Entra ID
- Multi-tenant organization interaction
-
Entra ID auditing and reporting
-
Entra ID bulk user management
-
Entra ID dynamic groups
-
Entra ID group management
- How to enforce naming policy on Microsoft 365 groups in Entra ID
- How to clean up resources related to all user groups
- How to create basic groups and add members in Entra ID
- Group management cmdlets
- How to add group to another group in Entra ID
- How to delete a group in Entra ID
- How to remove a group from another group in Entra ID
- Check import status
- Edit group settings in Entra ID
- Migrate users with individual licenses to groups
- Restore deleted groups in Microsoft Entra ID
- Set expiration for Microsoft 365 groups in Entra ID
-
Entra ID group membership
- How to utilize Microsoft Entra groups in Entra ID
- How to add group members in Entra ID
- How to add group owners in Microsoft Entra ID
- How to add or remove group member automatically in Entra ID
- How to create group of guest users using native admin center
- How to manage groups and group memberships in Entra ID
- How to remove guests from all user groups in Entra ID
- How to utilize groups and administrator roles in Entra ID
- Add or remove a group from another group in Entra ID
- Bulk group members addition in Entra ID
- Bulk remove group members from Entra ID groups
- How to remove members/owners of a group in Entra ID
-
Entra ID group reports
-
Entra ID license management
- How to automate inactive license management for Entra ID users
- How to change license assignments for user in Entra ID
- How to assign licenses to groups in Entra ID
- How to leverage group-based licensing for optimizing license management in Entra ID
- License assignment troubleshooting
- Assign licenses in Microsoft Entra ID
- Azure AD license membership modification
- Remove licenses in Microsoft Entra ID
- View license plans and details in Microsoft Entra ID
-
Entra ID User management
- How to manage permissions using access reviews in Microsoft Entra ID
- How to restrict guest access permissions in Entra ID
- How to clean up unmanaged Microsoft Entra accounts
- How to assign custom security attributes to users in Entra ID
- How to clean up stale accounts using access reviews
- How to share accounts with Entra ID
- How to update custom security attributes to users in Entra ID
- Add guest users
- Add users to Azure AD
- Assign user roles with Entra ID
- Close user account in an unmanaged Microsoft Entra organization
- How to revoke user access in Microsoft Entra ID using PowerShell
- Microsoft 365 delete users
- Remove custom security attribute assignments from users
-
Entra ID user reports
- How to monitor risky sign-ins in Microsoft Entra ID
- License usage reports in Microsoft Entra ID
- How to get the last logon date of users in Microsoft Entra ID
- How to view Microsoft 365 login attempts using PowerShell and Microsoft Entra ID
- How to report the MFA status for users in Microsoft Entra ID
- How to monitor recently created users in Entra ID
- Track password changes by admins in Microsoft Entra ID
- How to monitor user role changes in Entra ID
- How to track self-service password resets in Microsoft Entra ID
- How to create custom sign-in reports in Entra ID
- How to find deleted users in Entra ID
- How to verify deleted users in Entra ID
- Filter users based on custom security attributes
- Download Microsoft 365 user list
-
Entra ID workbooks
- How to create custom Microsoft Entra ID workbooks
- What are Microsoft Entra ID workbooks
- How to handle privilege escalation in Microsoft Entra ID
- How to monitor risky sign-ins using Microsoft Entra ID workbooks
- How to monitor your Microsoft 365 MFA setup using Entra ID workbooks
- How to audit for app permission threats with Microsoft Entra workbooks
- Conditional Access Gap Analyzer workbook in Microsoft Entra ID
-
Exchange Online administration
- How to change deleted items retention for Exchange Online mailboxes
- How to change the branding of clutter notifications in Exchange Online
- How to configure message delivery restrictions for Exchange Online mailboxes
- How to configure moderated recipients in Exchange Online
- How to create user mailboxes in Exchange Online
- How to enable and disable MAPI for a mailbox in Exchange Online
- How to enable or disable Outlook on the web for a mailbox in Exchange Online
- How to manage mail contacts in Exchange Online
- How to manage permissions for recipients in Exchange Online
- How to manage resource mailbox in Exchange Online
- How to save sent items in a delegators mailbox in Exchange Online
- How to create and edit shared mailboxes in Exchange Online
- How to add or remove email address for a mailbox in Exchange Online
- How to configure email forwarding for a mailbox in Exchange Online
- How to convert a mailbox in Exchange Online
- How to delete or restore user mailboxes in Exchange Online
- How to manage user mailboxes in Exchange Online
-
Exchange Online groups
- Create and manage groups in Exchange admin center in Exchange Online
- How to create and manage distribution list groups in Exchange Online
- How to create and manage dynamic distribution list groups in Exchange Online
- How to create distribution group naming policy in Exchange Online
- How to manage guest access to Microsoft 365 groups in Exchange Online
- How to manage role groups in Exchange Online
- How to override the distribution group naming policy in Exchange Online
- How to view members of a distribution group in Exchange Online
-
Microsoft Teams
-
Public Folders
- Create public folder calendar in Exchange Online
- How to restore deleted public folder in Exchange Online
- How to setup public folders in new organization
- Migrate public folders to Microsoft 365 groups in Exchange Online
- Recover deleted public folder mailbox in Exchange Online
- How to mail-enable and mail-disable public folders in Exchange Online