microsoftgraph
Update-MgUserPassword expects password as a string value
Describe the bug
The Update-MgUserPassword command's parameters, -CurrentPassword and -NewPassword, expect a string value instead of a securestring value.
Expected behavior
Password-related parameters shouldn't expect string values.
How to reproduce
Get-Command Update-MgUserPassword -Syntax
SDK Version
No response
Latest version known to work for scenario above?
2.25.0
Known Workarounds
No response
Debug output
Click to expand log
```</details>
### Configuration
_No response_
### Other information
_No response_
@alexandair as per the documentation here the parameters are of string type and that is what has been defined in the Open API provided by the service owner. PowerShell's code generator (AutoREST) design is to generate SDKs as per the API descriptions.
API descriptions are not set in stone. Having password-related parameters in PowerShell as strings is just wrong. Period.
If Update-EntraSignedInUserPassword could done it correctly and work with SecureString values, so could Update-MgUserPassword.
PowerShell's code generator (AutoREST) design is to generate SDKs as per the API descriptions.
Attributing every instance where this module deviates from idiomatic PowerShell to the service owner, AutoREST, or API descriptions is counterproductive. If the goal is to deliver a robust PowerShell SDK, rather than merely checking a box on a list, there is significant room for improvement.
The AzureAD and MSOL modules have been great, but the experiences with their successor Microsoft.Graph have been nothing but catastrophic!
SDK team, this issue needs to be fixed ASAP. The comment about hiding behind "it's the API owner's fault" reason is accurate. I see it far too often. The SDK team needs to take ownership and drive resolution of the problem from start to finish. I really don't care about which group in Microsoft "owns" an API. All I care about is better security.
It's more than just Update-MgUserPassword. Update-MgUser also needs to be updated.
Microsoft Graph PowerShell SDK Needs to Fix Its Password Problem
The Microsoft Graph PowerShell SDK offers developers easy access to data across the Microsoft 365 ecosystem and that’s good. However, there’s a problem with Graph SDK plain text passwords that must be fixed. In today’s threat climate, passwords should be passed as secure strings. It’s a small but important step to improve overall security.
https://office365itpros.com/2025/02/14/graph-sdk-plain-text-passwords/
Here is, probably incomplete, list of commands with password-related parameters that expect a string or a passwordProfile value.
Key Type Command
--- ---- -------
PasswordProfile Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPasswordProfile New-MgUser
PasswordProfile Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPasswordProfile Update-MgUser
Key Type Command
--- ---- -------
PasswordProfile Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile New-MgBetaUser
PasswordProfile Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile Update-MgBetaUser
Key Type Command
--- ---- -------
Password System.String Invoke-MgInviteUserDriveItem
Password System.String Invoke-MgInviteUserDriveRoot
Password System.String New-MgUserDriveItemLink
Password System.String New-MgUserDriveItemListItemLink
Password System.String New-MgUserDriveListItemLink
Password System.String New-MgUserDriveRootLink
Password System.String New-MgUserDriveRootListItemLink
NewPassword System.String Reset-MgUserAuthenticationMethodPassword
Password System.String Test-MgUserDriveItemPermission
Password System.String Test-MgUserDriveRootPermission
CurrentPassword System.String Update-MgUserPassword
NewPassword System.String Update-MgUserPassword
Key Type Command
--- ---- -------
PasswordProfile Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile Convert-MgBetaUserExternalToInternalMemberUser
Password System.String Invoke-MgBetaInviteUserDriveItem
Password System.String Invoke-MgBetaInviteUserDriveRoot
Password System.String New-MgBetaUserDriveItemLink
Password System.String New-MgBetaUserDriveItemListItemLink
Password System.String New-MgBetaUserDriveListItemLink
Password System.String New-MgBetaUserDriveRootLink
Password System.String New-MgBetaUserDriveRootListItemLink
NewPassword System.String Reset-MgBetaUserAuthenticationMethodPassword
Password System.String Test-MgBetaUserDriveItemPermission
Password System.String Test-MgBetaUserDriveRootPermission
Password System.String Test-MgBetaUserPassword
CurrentPassword System.String Update-MgBetaUserPassword
NewPassword System.String Update-MgBetaUserPassword
Key Type Command
--- ---- -------
Password System.String Invoke-MgUploadIdentityApiConnectorClientCertificate
Password System.String Invoke-MgUploadIdentityB2XUserFlowApiConnectorConfigurationPostAttributeCollectionClientCertificate
Password System.String Invoke-MgUploadIdentityB2XUserFlowApiConnectorConfigurationPostFederationSignupClientCertificate
Key Type Command
--- ---- -------
Password System.String Invoke-MgBetaUploadIdentityApiConnectorClientCertificate
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPostAttributeCollectionClientCertificate
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPostFederationSignupClientCertificate
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPreTokenIssuanceClientCertificate
Password System.String Invoke-MgBetaUploadTrustFrameworkKeySetPkcs12
Key Type Command
--- ---- -------
Password System.String Update-MgBetaDeviceAppMgtSymantecCodeSigningCertificate
Password System.String Update-MgBetaDeviceAppManagementSymantecCodeSigningCertificate
Key Type Command
--- ---- -------
Password System.String Invoke-MgInviteGroupDriveItem
Password System.String Invoke-MgInviteGroupDriveRoot
Password System.String New-MgGroupDriveItemLink
Password System.String New-MgGroupDriveItemListItemLink
Password System.String New-MgGroupDriveListItemLink
Password System.String New-MgGroupDriveRootLink
Password System.String New-MgGroupDriveRootListItemLink
Password System.String New-MgGroupSiteListItemLink
Password System.String Test-MgGroupDriveItemPermission
Password System.String Test-MgGroupDriveRootPermission
Key Type Command
--- ---- -------
Password System.String Invoke-MgBetaInviteGroupDriveItem
Password System.String Invoke-MgBetaInviteGroupDriveRoot
Password System.String New-MgBetaGroupDriveItemLink
Password System.String New-MgBetaGroupDriveItemListItemLink
Password System.String New-MgBetaGroupDriveListItemLink
Password System.String New-MgBetaGroupDriveRootLink
Password System.String New-MgBetaGroupDriveRootListItemLink
Password System.String New-MgBetaGroupSiteListItemLink
Password System.String Test-MgBetaGroupDriveItemPermission
Password System.String Test-MgBetaGroupDriveRootPermission