Developing a strong password is the most effective strategy to keep your Office 365 environment secure. As part of the password expiration policy, users are likely to change their passwords frequently. Since passwords are often changed, users tend to choose weaker and easier passwords over time. Therefore, these passwords can get hacked at ease.
Frequent password changes lead to weak passwords, so it’s better to have a solid and hard-to-crack password strategy, which can be set to never expire, right?
It is possible to set the password to never expire via Microsoft 365 admin center and PowerShell. Since Azure AD cmdlets are deprecated, admins must use MS Graph PowerShell cmdlets.
Let’s learn how to set the password to never expire in Office 365 in this article.
Set Password Policy in Microsoft 365 Admin Center:
Microsoft 365 admin center has only one way to make passwords never expire. The following steps explain how to set a password expiration policy for your organization.
Open the Microsoft 365 admin center, and select Settings –> Org Settings.
On the Org settings page, click Security and Privacy. (Only the Azure AD global admins can see this.)
From the Security and Privacy tab, select the Password expiration policy.
By default, the password will never expire. (If you do not wish the password to expire, you can leave it as is.)
But if you want to configure specific password expiration dates, uncheck the box and mention the number of days you want the password to expire after. Then, the password will expire after the specified number of days.
Set Password Never Expire Using MS Graph PowerShell:
With Office 365 admin center, it is only possible to set password expiration policies across the entire organization. Then, how will you set only a particular Office 365 user’s password to never expire? Unfortunately, no! Admin center failed to help here.
So there comes PowerShell to the rescue. The downside of PowerShell cmdlets is that Microsoft recently announced that Msol online and Azure AD modules will be deprecated. Even though it still works to configure password policies, switching to MS Graph is best.
After connecting with MS Graph, replace the <user id> with the object id of the user you wish to set the password never expiration policy.
If you wish to get your Office 365 users’ User Id, you can use the Get-MgUser cmdlet.
Enable Password Never Expire for Bulk Office 365 Users:
Would it be possible to set the password to never expire configuration for bulk users? Is there a way to do it? The problem can be solved by importing a CSV file with the list of users that you want to configure passwords to never expire.
Required Fields in CSV file:
Create a CSV file with the user’s object ID whose password should never expire.
Connect-MgGraph
$UserId = Import-Csv "C:\setpwdexpiry.csv" | ForEach-Object { $upn = $_."UserId"
Write-Progress -Activity "Setting password to never expire to -$upn"
Update-MgUser -UserId $upn -PasswordPolicies DisablePasswordExpiration
If($?)
{
Write-Host Password never expired set to $upn -ForegroundColor Green
}
Else
{
Write-Host Error occurred while setting password to never expire to $upn -ForegroundColor Red
}
}
Set Password Never Expire for All Users:
To set the password never expire for all users, run the below script.
Get-MgUser -All | foreach {
$Id=$_.Id
$DisplayName=$_.DisplayName
Write-Progress "Set password never expires to $DisplayName"
Update-MgUser –UserId $Id -PasswordPolicies DisablePasswordExpiration
If($?)
{
Write-Host Password never expired set to $DisplayName -ForegroundColor Green
}
Else
{
Write-Host Error occurred while setting password to never expire to $DisplayName -ForegroundColor Red
}
}
Remove the Password Never Expires in Office 365 Users:
Similarly, removing the “password never expires setup” for an individual user is super easy. You can replace the value of the -PasswordPolicies parameter with None. That’s it! This removes the password set to never expire.
Bulk Remove Password Never Expire for Office 365 Users:
If you want to remove the “password never expires policy” for a group of users, you can do it in the same way that you would set up a password that will never expire. Replace -PasswordPolicies with None.Run the below cmdlet to remove the password never expire policy.
Connect-MgGraph
$UserId = Import-Csv "C:\setpwdexpiry.csv" | ForEach-Object { $upn = $_."UserId"
Write-Progress -Activity "Setting password to never expire to -$upn"
Update-MgUser -UserId $upn -PasswordPolicies None
If($?)
{
Write-Host Password never expired removed from $upn -ForegroundColor Green
}
Else
{
Write-Host Error occurred while removing password never expire from $upn -ForegroundColor Red
}
}
That’s it! This is how we can configure the passwords to never expire using MS Graph PowerShell.
Lastly, one thing to note, do you have a way of tracking when your users last changed their passwords? Can that be found?
Export Office 365 Users’ Last Password Change Date to CSV:
This script comes up with numerous use-cases like you can generate multiple password reports using this script. Some of the few significant reports are
Get Office 365 Users Password Expiration Date Report
Export Office 365 Password Expired Users Report
List Office 365 Users Whose Password Set to Never Expires
Check All Licensed Users’ Password Last Change Time and Expiry Date
Get Password Expiry Report for Enabled Users
Soon to Expire Password Users Report
Recent Password Changers Report
Script Highlights:
A single script allows you to generate 7 different password reports.
The script can be executed with MFA-enabled accounts too.
Exports output to CSV.
You can filter results to display Licensed users alone.
The script is scheduler friendly. i.e., Credentials can be passed as a parameter instead of saved inside the script.
Export Office 365 Users’ Password Expiry Date – Sample Report:
The output of the password expiry report contains the most essential attributes like Display Name, User Principal Name, Password last Change Date, Password Since Last Set (Password Age), Password Expiry Date, Friendly Expiry Time, License Status and Days Since Expiry/Days to Expiry.
Lastly, I hope this blog was useful for setting up the password to never expire simultaneously for single users and bulk users. If you have any further questions on this, drop your queries in the comment section!
