Skip to main content

Overview

This recipe creates a scheduled agent that runs monthly to rotate passwords for admin and service accounts across your connected M365 tenants. Every password reset requires technician approval, and new credentials are delivered securely.
This is a scheduled agent — it runs on a cadence without processing a specific ticket. See Scheduled Agents for how this works.

How it works

  • Agent runs monthly and identifies admin and service accounts across connected tenants
  • For each account, the agent generates a secure password and requests Technician-in-the-Loop approval
  • After approval, the password is reset and new credentials are delivered via a secure link
  • A summary of all rotated accounts is logged

Setup

1

Create the agent

  • Name: “M365 Password Rotation”
  • Type: Agent
  • Trigger: Scheduled
  • Cadence: Monthly (e.g., first Monday at 5:00 AM)
2

Configure M365 integration permissions

Set these permission groups:
  • SecurityRead/Write with TIL enabled (for password resets)
  • Directory RolesRead Only (to identify admin accounts)
  • User ManagementRead Only (to search for service accounts)
3

Enable tools

  • Generate Password — to create secure random passwords
  • Generate Secure Link — to deliver credentials safely
  • Send Teams Message or Send Internal Email — for delivery and summary
4

Write custom instructions

For each connected M365 tenant:

1. List all users with privileged directory roles:
   - Global Administrator
   - Privileged Role Administrator
   - Exchange Administrator
   - Security Administrator
2. Also find service accounts (display name contains "svc-" or "service")
3. Exclude break-glass/emergency accounts from rotation
4. For each account:
   a. Generate a new secure password (minimum 20 characters)
   b. Request technician approval, specifying which account and tenant
   c. Once approved, reset the password
   d. Send the new credentials to the designated admin via a secure link
5. After processing all accounts, send a summary to the security-ops
   Teams channel listing all accounts rotated and any that were skipped
5

Test and enable

  • Enable test mode and run once to verify it identifies the correct accounts
  • Review the execution log to confirm the account list and exclusions are right
  • Disable test mode, enable, and monitor the first live run closely

Variations

Separate schedules for admin vs service accounts

Split into two agents with different cadences:
  • Admin accounts — monthly rotation
  • Service accounts — quarterly rotation (to reduce disruption to automated processes)

Create audit tickets

Add instructions to create a PSA ticket for each rotation cycle, logging which accounts were rotated, when, and by whom (the approving technician). This provides an audit trail for compliance reporting.

Best practices

  • Always require TIL approval — automated password resets without human oversight can lock out critical accounts
  • Coordinate with your team on rotation schedules to avoid disruptions during business hours
  • Maintain a list of break-glass accounts that should never have passwords rotated by automation
  • Use the secure link tool for credential delivery — never include passwords in Teams messages or emails directly
  • Document the rotation schedule in your internal wiki so all technicians know when to expect approval requests