3.5.9 — Allow Temporary Password Use for System Logons with an Immediate Change to a Permanent Password

When you give someone a temporary password — for a new account or after a password reset — the system should force them to change it on their first login. A temporary password is a known shared secret between IT and the user, so it should not persist any longer than absolutely necessary.

Example 1: In Active Directory Users and Computers, when resetting a user's password, check the box "User must change password at next logon." This is a checkbox directly on the password reset dialog. Make it a standard operating procedure that your helpdesk always checks this box — never skip it.

Example 2: In the M365 Admin Center under Users > Active Users, select the user and click Reset Password. Ensure the toggle "Require this user to change their password when they first sign in" is set to On. For bulk operations via PowerShell, use Set-MsolUserPassword -UserPrincipalName user@contoso.com -ForceChangePassword $true.