There are cases when you forget the local admin password of a machine. Or worse, someone changes your password, such as a threat actor in a cybersecurity incident. This happens, and I’ve been there a few times, where a threat actor started resetting all the admins’ passwords to effectively cut them off so they couldn’t stop the ongoing attack.

With Azure VMs, it is possible to reset passwords directly from the Azure portal. Either by using a PowerShell script or by directly entering a command from the Azure portal. This works for both a local admin account and also a domain admin account if the VM in question is a domain controller.

How to reset an Azure VM local admin password

As I mentioned earlier, there are two options.

  1. Reset using a PowerShell script
  2. Reset using the Run command

Reset domain admin password using a PowerShell script

To reset a domain admin password, use the net user username Pa$$sw0rd command, replacing username with the username of the account you want to reset the password on, and replacing Pa$$sw0rd with the password you want to set for that account.

Save this command in a file called, for example, ResetAdminPassword.ps1.

In the Azure portal, find the VM you want to run this script on and open Extensions + Applications in the menu. In the list of applications and extensions, find Custom script extension and on the next page, upload the previously created password reset script. Uploading the script requires a storage account. You can use an existing storage account or create a new one.

Then just wait until Provisioning succeeded appears for the extension and you can log in to the VM using the newly set password.

Reset domain admin password using the Run command

An even simpler option is the Run command in the Azure portal.

Find the VM you want to reset the password on and go to Run command in the menu. Select RunPowerShellScript from the menu, enter the command net user username Pa$$sw0rd, replacing the username with the username of the account you want to reset the password for, and replacing Pa$$sw0rd with the password you want to set for that account.

After the command completes successfully, you can log on to the VM using the newly set password.

Final words

The above also shows how sensitively you need to protect access to the Azure portal and the ability to manage individual VMs. Should someone unauthorized get the ability to do such a reset, they immediately gain control of the entire environment because they have gained access to an account with domain admin permissions.

Therefore, the management of domain controllers and other Tier 0 servers must be protected and secured in the same way as the access to the domain controllers themselves. The ability to manage Azure VMs hosting Tier 0 servers must therefore be strictly limited to privileged people only and only allowed from CSMs/PAWs.