Blog/How to Automate Password Resets in ServiceNow with Microsoft 365
ServiceNowMicrosoft 365AutomationPassword Reset

How to Automate Password Resets in ServiceNow with Microsoft 365

April 2, 20268 min readBy Brad McCorkle, Founder & CEO, Lesos AI

Password reset automation is the process of using APIs and workflow engines to automatically resolve password reset requests from an IT service management platform like ServiceNow, eliminating manual intervention by helpdesk analysts. When integrated with Microsoft 365 via the Microsoft Graph API, a password reset can be executed in under one second — compared to the 10–15 minutes it takes a human.

Password resets are the single most common IT support ticket in almost every organization. Industry data consistently puts them at 20–30% of total helpdesk volume. Each one takes 5–15 minutes of analyst time, and the user is blocked until it is done. Multiply that by hundreds of tickets per month and the cost adds up fast.

The good news: password resets are also the easiest ticket to automate. The request follows a predictable pattern, the resolution is a single API call, and the risk is low. If you are running ServiceNow and Microsoft 365, you already have everything you need to eliminate this category of ticket entirely.

The Cost of Manual Password Resets

Before building anything, it helps to quantify the problem. Here is a realistic scenario for a mid-size organization:

  • 400 password reset tickets per month
  • Average handling time: 10 minutes per ticket (including verification, reset, and ticket update)
  • L1 analyst fully loaded cost: $35/hour
  • Monthly cost: 400 × 10 min × ($35/60) = $2,333/month = $28,000/year
  • User downtime: 400 × 30 min average wait = 200 hours of lost productivity per month

That is nearly $28,000 per year in analyst time alone — not counting the productivity lost while users sit idle waiting for their password to be reset. For larger organizations with thousands of employees, this number scales linearly.

Option 1: Self-Service Password Reset (SSPR)

Microsoft Entra ID (formerly Azure AD) includes Self-Service Password Reset as part of Azure AD Premium P1 licensing. If you have it, you should enable it. SSPR lets users reset their own passwords through a web portal or the Windows login screen after verifying their identity via MFA.

  • Requires Azure AD Premium P1 or P2 (included in M365 E3/E5)
  • Users must pre-register authentication methods (phone, authenticator app, email)
  • Works for cloud-native and hybrid (with password writeback) environments
  • Typically captures 40–60% of password reset requests after rollout

SSPR is a strong first step, but it does not eliminate the problem. Users who have not registered, who have lost access to all their MFA methods, or who are locked out of their device still generate tickets. The remaining 40–60% still land in your ServiceNow queue.

Option 2: ServiceNow Flow Designer with Microsoft Graph API

For tickets that still come in, you can build automation directly in ServiceNow using Flow Designer. The approach is straightforward: detect a password reset incident, verify the requester, call the Microsoft Graph API to reset the password, and update the ticket.

Step 1 — Register an App in Azure AD

Create an app registration in Microsoft Entra ID with the User.ReadWrite.All application permission (or UserAuthenticationMethod.ReadWrite.All for more granular control). Generate a client secret and store it securely.

Step 2 — Create a REST Message in ServiceNow

In ServiceNow, create an Outbound REST Message pointing to the Microsoft Graph API. You will need two HTTP methods:

  • POST to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token — to get an access token
  • PATCH to https://graph.microsoft.com/v1.0/users/{userId} — to reset the password with { "passwordProfile": { "forceChangePasswordNextSignIn": true, "password": "{generatedPassword}" } }

Step 3 — Build the Flow

In Flow Designer, create a flow triggered by incident creation. Add conditions to match password reset requests (short description contains "password reset", category equals "Access", etc.). The flow should:

  • Extract the affected user from the incident
  • Look up their Azure AD user ID via Graph API
  • Generate a temporary password meeting your complexity requirements
  • Call the Graph API to set the new password
  • Add a work note to the incident with the temporary password (or send it via a secure channel)
  • Resolve and close the incident

This approach works but requires significant ServiceNow development expertise, ongoing maintenance of the OAuth token flow, and careful error handling. If the Graph API call fails, the flow needs retry logic and a fallback to human assignment. Most teams underestimate the maintenance burden.

Option 3: AI-Powered Ticket Resolution

The limitation of rule-based automation (Option 2) is that it relies on exact pattern matching. If the ticket says "I forgot my password" instead of "password reset," or if the affected user field is not populated, the flow does not trigger. Real-world tickets are messy — typos, vague descriptions, missing fields.

AI-powered automation solves this by reading the ticket the way a human would. Instead of matching keywords, it understands intent. "I can't log in," "my password expired," "account locked out," and "need password changed" all resolve to the same action: reset the user's password.

This is the approach we built into Support Team. It monitors your ServiceNow queue, uses Azure OpenAI to understand each ticket, identifies the affected user, and executes the password reset through Microsoft Graph API — automatically. No flow designer configuration, no regex patterns, no maintenance when ticket templates change.

Which Approach Should You Use?

  • Start with SSPR if you have not enabled it yet — it is free with your existing M365 license and handles the majority of cases.
  • Add Flow Designer automation if you have ServiceNow Platform Admin expertise in-house and want to handle the remaining tickets with custom logic.
  • Use an AI-powered solution like Support Team if you want to catch all password reset variations without maintaining automation rules, and if password resets are just one of many L1 ticket types you want to automate.

Frequently Asked Questions

Can I automate password resets without ServiceNow?

Yes. The Microsoft Graph API works independently of any ITSM platform. You can trigger password resets from Power Automate, Azure Logic Apps, or custom scripts. However, integrating with ServiceNow ensures the ticket is automatically updated and closed, maintaining your audit trail.

Is automated password reset safe for compliance?

Automated password resets are safe when identity verification is built into the workflow. The forceChangePasswordNextSignIn flag ensures the temporary password is single-use. Combined with an audit log of every reset, this meets SOC 2 and ISO 27001 requirements for access management.

What permissions does the Graph API app need for password resets?

The minimum permission is UserAuthenticationMethod.ReadWrite.All (application type). User.ReadWrite.All also works but is broader than necessary. Both require admin consent from a Global Administrator.

Automate Password Resets and 20+ Other IT Operations

Support Team uses AI to resolve L1 tickets across your ServiceNow and Microsoft 365 environment — password resets, license assignments, MFA resets, mailbox permissions, and more. No scripting required.

See How It Works

Related articles

IT OperationsITSM

How to Reduce L1 Ticket Volume Without Adding Headcount

10 min read

ServiceNowMicrosoft 365

ServiceNow and Microsoft 365 Integration: A Practical Guide for IT Teams

12 min read

All articles