3 Ways to Force Users to Change Their Passwords in Google Workspace
When a stale password lingers, every shared drive, email, and chat thread is exposed. As an admin, you’re the one who loses sleep if a user forgets to change it.
This short guide walks through three proven ways to force a Google Workspace password reset, instant bulk resets, policy-based expiry, and targeted security prompts, so you can pick the tactic that fits your org, roll it out fast, and lock the door on stale credentials.
Table of Contents
Use Google Workspace’s UI
Here, you’ll walk through Google Workspace’s Admin console to make a user pick a new password the next time they sign in. Follow the same clicks whether you’re updating one account or several at once.
Sign in to the Admin console
- Head to
admin.google.comand sign in with a super-admin account. - The homepage loads and shows a tiled dashboard of administrative tools.
Open the Users page
- From the dashboard menu, choose Directory to reach the list of services.
- Click Users to open a full list of accounts that includes search and filters.
Select the user (or users)
- Scroll or filter until you locate the person whose password needs a reset. Use the search bar if the list is long.
- Check the box that sits directly beside the user’s name.
- If you need to reset several users, keep selecting boxes until everyone is highlighted.
Reset the password and force a change
- From the toolbar in the upper right corner, choose Reset password. A dialog appears.
- Choose the method you prefer for creating the temporary password.
- Allow Google to generate a random string of letters and numbers automatically.
- Create and enter a temporary password of your own choosing.
- Confirm that Ask user to change their password when they sign in remains selected.
- Click Reset to save the change and reveal the temporary password.
Share the temporary password
- Copy the password as seems in the confirmation window.
- Send it through a secure channel, never in a public chat.
Confirm everything took
- Watch for a green banner announcing the reset was successful.
- The profile now displays “Password reset required” until the user finishes the change.
The next time the user signs in, Google blocks access until a fresh password is set.
Use Torii
Handling password resets inside Google Workspace can feel slow and tedious. Torii, a SaaS management platform, centralizes subscriptions and integrations so teams can require user password changes, onboard or offboard staff, and review license data.
With Torii in place, the password-reset step can be completely automated. Once you define a trigger, such as a new hire, a departure, or a contract anniversary, the workflow runs on its own and removes repetitive manual work.
Follow the steps below to force a Google Workspace password change directly from Torii:
1. Sign up for Torii
Contact Torii to request a free two-week proof of concept.
2. Connect your Google Workspace account to Torii
After your Torii environment is active, link your existing Google Workspace tenant. Detailed instructions live here: Google Workspace integration guide.
3. Create a Torii workflow for Google Workspace
Inside Torii, open the Workflows tab, choose your preferred trigger, and add the “force user to change password in Google Workspace” action. Whenever the trigger fires, Google Workspace automatically prompts the selected users to reset their passwords.
Use Google Workspace’s API
Here’s how to tell Google Workspace to make a user pick a new password the next time they sign in.
1. Turn on the Admin SDK and pick your auth method
- Enable the Admin SDK in Google Cloud if it isn’t already.
- Decide if you’ll use a service account with domain-wide delegation or a standard OAuth 2.0 flow.
- For a service account, share the client ID in the Admin console and give it the scope
https://www.googleapis.com/auth/admin.directory.user.security.
2. Get an access token that carries the right scope
Run a command like this (example uses a service account with oauth2l) to fetch an OAuth token carrying the right scope:
oauth2l fetch --jwt \
--scope=https://www.googleapis.com/auth/admin.directory.user.security \
--impersonate=[email protected]
When the command finishes, copy the access token it prints to your terminal.
3. Build the PATCH request
The PATCH body is minimal, and Google only needs a single field to trigger the reset:
{
"changePasswordAtNextLogin": true
}
4. Send the call
Send the request with curl, Postman, or any other HTTP client, and remember to replace {USER_KEY} with the user’s primary email address or numeric ID.
curl -X PATCH \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"changePasswordAtNextLogin": true}' \
"https://admin.googleapis.com/admin/directory/v1/users/{USER_KEY}"
A successful call returns the updated User resource as JSON.
5. Check your work (optional)
To confirm the change, retrieve the user record again now and inspect the relevant field returned:
curl -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://admin.googleapis.com/admin/directory/v1/users/{USER_KEY}?fields=primaryEmail,changePasswordAtNextLogin"
If "changePasswordAtNextLogin": true shows up, the user will be forced to reset their password at the next sign-in.
With one PATCH call, you’ve forced the reset without opening the admin UI, so no interface clicks were necessary and a single API flag did the job.
Torii for SaaS Management
Effective SaaS Management starts with clear, company-wide visibility into every app your teams touch each day. Torii’s platform helps you:
- Uncover shadow IT: AI-driven discovery continually scans your organization for unsanctioned apps, revealing hidden tools before they cause risk or waste.
- Slash spend: Identify and eliminate idle licenses and overlapping tools across every department, putting hard dollars back into your quarterly budget.
- Automate joiner/mover/leaver workflows: Automatically orchestrate onboarding, role changes, and departures with secure workflows that reclaim time, reduce tickets, and close compliance gaps.
- Stay ahead of renewals: Get proactive renewal alerts, complete with usage data and contract terms, so you negotiate early and avoid costly auto-renews.
Torii offers the industry’s first comprehensive SaaS Management solution, delivering one reliable source of truth for Finance, IT, and Security teams.
Discover everything Torii can do for your team at Torii.
Frequently Asked Questions
Admins can require a reset three ways: open the Admin console and hit Reset Password, trigger a "force user to change password" action in a Torii workflow, or patch the Admin SDK user endpoint with \"changePasswordAtNextLogin\": true. All three compel users to set new credentials on next sign-in.
Yes. In the Admin console, select multiple checkboxes on the Users page and click Reset Password once, or create a Torii workflow that targets groups or organisational units. Both approaches push a bulk prompt without individual clicks.
The boolean field \"changePasswordAtNextLogin\" tells Google Workspace to block the account until the user chooses a fresh password. Set it to true with an Admin SDK PATCH call and the system automatically enforces the change at next authentication.
Torii connects to your Google Workspace tenant, then lets you add a \"force user to change password\" action to any workflow trigger—new hire, departure, or anniversary. When the trigger fires, Google instantly flags selected accounts for a mandatory reset.
Avoid public email or chat. After the reset dialog shows the temporary password, copy it into a secure channel such as an encrypted ticket, password manager vault share, or one-time secret link so snoops can’t intercept it.
Google Workspace supports password-expiration policies. In the Admin console, navigate to Security → Password management and set a maximum password age. The platform will automatically prompt users to update their credentials once the chosen number of days elapses.
