Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Microsoft Identity Manager PowerShell Management Agent Password Script to check to see if users AD Passwords have been pwned. Supporting blog post is located here
[switch] $UnlockAccount,
[switch] $ForceChangeAtLogOn,
[switch] $ValidatePassword
# Logging
$log = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\PwnedPWD\Debug\PwnedPWD.log"
"=============================================================" | out-file $log -Append
$DisplayName = $_["displayName"].Value
$Accountname = $_["sAMAccountName"].Value
"Account Name: $Accountname" | Out-File $log -Append
"Display Name: $DisplayName" | Out-File $log -Append
"Action: $Action" | Out-File $log -Append
"Old pwd: $OldPassword" | Out-File $log -Append
"New pwd: $NewPassword" | Out-File $log -Append
"Unlock: $UnlockAccount" | Out-File $log -Append
"Force change: $ForceChangeAtLogOn" | Out-File $log -Append
"Validate: $ValidatePassword" | Out-File $log -Append
$responseCode = $null
# HaveIBeenPwnded uses TLS 1.2. PowerShell by default is 1.0. Set TLS to 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Check password against the Pwned List
function PwnedPassword ($URI) {
try {
$Global:response = (Invoke-WebRequest -uri $URI -UseBasicParsing -TimeoutSec 20)
return $Global:response
catch [System.Net.WebException] {
# either we had a communnication failure, hit the rate limit or got a 404 indicating password isn't pwned
$Request = $_.Exception
$Global:responseCode = $Request.Response.StatusCode.'value__'
"Exception calling API: $Global:responseCode" | Out-File $log -Append
# SHA-1 has the password and build the API Check URI
$pwdsha1 = Get-Hash -Algorithm SHA1 -StringEncoding utf8 -InputObject $NewPassword
$pwnedCheckURL = "$($pwdsha1.HashString.Substring(0,5))"
# Lookup
# Pwnded or not?
if ($response.Content.Contains($pwdsha1.HashString.Substring(5))){
$pwned = $true
} else {
$pwned = $false
# Update the user in the MIM Service
if ($pwned -or !$pwned){
Import-Module lithnetrma
$pwd = $Password | ConvertTo-SecureString -asPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($Username,$pwd)
Set-ResourceManagementClient -BaseAddress http://mimserviceServer:5725 -Credentials $Credential
# Get the user from the MIM Service
$user = Get-Resource -ObjectType Person -AttributeName AccountName -AttributeValue $Accountname
if ($user){
$user.pwnedPassword = $pwned
Save-Resource $user
"Updated MIM Service for $Accountname who's password pwned status is $pwned" | Out-File $log -Append
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.