Skip to content

Update-MgUserPassword expects password as a string value #3119

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
alexandair opened this issue Feb 11, 2025 · 6 comments · May be fixed by #3251
Open

Update-MgUserPassword expects password as a string value #3119

alexandair opened this issue Feb 11, 2025 · 6 comments · May be fixed by #3251
Assignees
@timayabi2020
Labels
Needs: Team Discussion Question: API Question: SDK type:security Security, or privacy issue

Comments

@alexandair
Copy link
Contributor

Describe the bug

The Update-MgUserPassword command's parameters, -CurrentPassword and -NewPassword, expect a string value instead of a securestring value.

Expected behavior

Password-related parameters shouldn't expect string values.

How to reproduce

Get-Command Update-MgUserPassword -Syntax

SDK Version

No response

Latest version known to work for scenario above?

2.25.0

Known Workarounds

No response

Debug output

Click to expand log ``` 
</details>


### Configuration

_No response_

### Other information

_No response_
@alexandair alexandair added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Feb 11, 2025
@timayabi2020
Copy link
Contributor

@alexandair as per the documentation here the parameters are of string type and that is what has been defined in the Open API provided by the service owner. PowerShell's code generator (AutoREST) design is to generate SDKs as per the API descriptions.

@timayabi2020 timayabi2020 added Status: Won't Fix Question: SDK Question: API status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned Status: Won't Fix type:bug A broken experience labels Feb 12, 2025
@alexandair
Copy link
Contributor Author

API descriptions are not set in stone.
Having password-related parameters in PowerShell as strings is just wrong. Period.

If Update-EntraSignedInUserPassword could done it correctly and work with SecureString values, so could Update-MgUserPassword.

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Feb 12, 2025
@danielniccoli
Copy link

danielniccoli commented Feb 12, 2025
edited
Loading

PowerShell's code generator (AutoREST) design is to generate SDKs as per the API descriptions.

Attributing every instance where this module deviates from idiomatic PowerShell to the service owner, AutoREST, or API descriptions is counterproductive. If the goal is to deliver a robust PowerShell SDK, rather than merely checking a box on a list, there is significant room for improvement.

The AzureAD and MSOL modules have been great, but the experiences with their successor Microsoft.Graph have been nothing but catastrophic!

@12Knocksinna
Copy link

SDK team, this issue needs to be fixed ASAP. The comment about hiding behind "it's the API owner's fault" reason is accurate. I see it far too often. The SDK team needs to take ownership and drive resolution of the problem from start to finish. I really don't care about which group in Microsoft "owns" an API. All I care about is better security.

@timayabi2020 timayabi2020 added the type:security Security, or privacy issue label Feb 13, 2025
@12Knocksinna
Copy link

12Knocksinna commented Feb 14, 2025
edited
Loading

It's more than just Update-MgUserPassword. Update-MgUser also needs to be updated.

Microsoft Graph PowerShell SDK Needs to Fix Its Password Problem

The Microsoft Graph PowerShell SDK offers developers easy access to data across the Microsoft 365 ecosystem and that’s good. However, there’s a problem with Graph SDK plain text passwords that must be fixed. In today’s threat climate, passwords should be passed as secure strings. It’s a small but important step to improve overall security.

https://office365itpros.com/2025/02/14/graph-sdk-plain-text-passwords/

@alexandair
Copy link
Contributor Author

Here is, probably incomplete, list of commands with password-related parameters that expect a string or a passwordProfile value.

Key              Type                                                             Command
---              ----                                                             -------
PasswordProfile  Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPasswordProfile New-MgUser
PasswordProfile  Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPasswordProfile Update-MgUser

Key              Type                                                                  Command
---              ----                                                                  -------
PasswordProfile  Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile New-MgBetaUser
PasswordProfile  Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile Update-MgBetaUser

Key             Type          Command
---             ----          -------
Password        System.String Invoke-MgInviteUserDriveItem
Password        System.String Invoke-MgInviteUserDriveRoot
Password        System.String New-MgUserDriveItemLink
Password        System.String New-MgUserDriveItemListItemLink
Password        System.String New-MgUserDriveListItemLink
Password        System.String New-MgUserDriveRootLink
Password        System.String New-MgUserDriveRootListItemLink
NewPassword     System.String Reset-MgUserAuthenticationMethodPassword
Password        System.String Test-MgUserDriveItemPermission
Password        System.String Test-MgUserDriveRootPermission
CurrentPassword System.String Update-MgUserPassword
NewPassword     System.String Update-MgUserPassword

Key             Type                                                                  Command
---             ----                                                                  -------
PasswordProfile Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphPasswordProfile Convert-MgBetaUserExternalToInternalMemberUser
Password        System.String                                                         Invoke-MgBetaInviteUserDriveItem
Password        System.String                                                         Invoke-MgBetaInviteUserDriveRoot
Password        System.String                                                         New-MgBetaUserDriveItemLink
Password        System.String                                                         New-MgBetaUserDriveItemListItemLink
Password        System.String                                                         New-MgBetaUserDriveListItemLink
Password        System.String                                                         New-MgBetaUserDriveRootLink
Password        System.String                                                         New-MgBetaUserDriveRootListItemLink
NewPassword     System.String                                                         Reset-MgBetaUserAuthenticationMethodPassword
Password        System.String                                                         Test-MgBetaUserDriveItemPermission
Password        System.String                                                         Test-MgBetaUserDriveRootPermission
Password        System.String                                                         Test-MgBetaUserPassword
CurrentPassword System.String                                                         Update-MgBetaUserPassword
NewPassword     System.String                                                         Update-MgBetaUserPassword

Key      Type          Command
---      ----          -------
Password System.String Invoke-MgUploadIdentityApiConnectorClientCertificate
Password System.String Invoke-MgUploadIdentityB2XUserFlowApiConnectorConfigurationPostAttributeCollectionClientCertificate
Password System.String Invoke-MgUploadIdentityB2XUserFlowApiConnectorConfigurationPostFederation#ClientCertificate

Key      Type          Command
---      ----          -------
Password System.String Invoke-MgBetaUploadIdentityApiConnectorClientCertificate
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPostAttributeCollectionClientCertificate     
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPostFederation#ClientCertificate
Password System.String Invoke-MgBetaUploadIdentityB2XUserFlowApiConnectorConfigurationPreTokenIssuanceClientCertificate
Password System.String Invoke-MgBetaUploadTrustFrameworkKeySetPkcs12   

Key      Type          Command
---      ----          -------
Password System.String Update-MgBetaDeviceAppMgtSymantecCodeSigningCertificate
Password System.String Update-MgBetaDeviceAppManagementSymantecCodeSigningCertificate

Key      Type          Command
---      ----          -------
Password System.String Invoke-MgInviteGroupDriveItem
Password System.String Invoke-MgInviteGroupDriveRoot
Password System.String New-MgGroupDriveItemLink
Password System.String New-MgGroupDriveItemListItemLink
Password System.String New-MgGroupDriveListItemLink
Password System.String New-MgGroupDriveRootLink
Password System.String New-MgGroupDriveRootListItemLink
Password System.String New-MgGroupSiteListItemLink
Password System.String Test-MgGroupDriveItemPermission
Password System.String Test-MgGroupDriveRootPermission

Key      Type          Command
---      ----          -------
Password System.String Invoke-MgBetaInviteGroupDriveItem
Password System.String Invoke-MgBetaInviteGroupDriveRoot
Password System.String New-MgBetaGroupDriveItemLink
Password System.String New-MgBetaGroupDriveItemListItemLink
Password System.String New-MgBetaGroupDriveListItemLink
Password System.String New-MgBetaGroupDriveRootLink
Password System.String New-MgBetaGroupDriveRootListItemLink
Password System.String New-MgBetaGroupSiteListItemLink
Password System.String Test-MgBetaGroupDriveItemPermission
Password System.String Test-MgBetaGroupDriveRootPermission

@timayabi2020 timayabi2020 self-assigned this Feb 20, 2025
@timayabi2020 timayabi2020 linked a pull request Apr 1, 2025 that will close this issue
Draft
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@timayabi2020 timayabi2020

Labels
Needs: Team Discussion Question: API Question: SDK type:security Security, or privacy issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implementation for secure password microsoftgraph/msgraph-sdk-powershell
4 participants
@danielniccoli @alexandair @timayabi2020 @12Knocksinna