Set Office 365 Users’ Password to Never Expire Using MS Graph PowerShell

Set Office 365 Users’ Password to Never Expire Using MS Graph PowerShell

Developing a strong password is the most effective strategy to keep your Office 365 environment secure. As part of the password expiration policy, users are likely to change their passwords frequently. Since passwords are often changed, users tend to choose weaker and easier passwords over time. Therefore, these passwords can get hacked at ease.

Frequent password changes lead to weak passwords, so it’s better to have a solid and hard-to-crack password strategy, which can be set to never expire, right?

It is possible to set the password to never expire via Microsoft 365 admin center and PowerShell. Since Azure AD cmdlets are deprecated, admins must use MS Graph PowerShell cmdlets.

Let’s learn how to set the password to never expire in Office 365 in this article.

Set Password Policy in Microsoft 365 Admin Center:

Microsoft 365 admin center has only one way to make passwords never expire. The following steps explain how to set a password expiration policy for your organization.

  1. Open the Microsoft 365 admin center, and select Settings –> Org Settings.
  2. On the Org settings page, click Security and Privacy. (Only the Azure AD global admins can see this.)
  3. From the Security and Privacy tab, select the Password expiration policy.
      • By default, the password will never expire. (If you do not wish the password to expire, you can leave it as is.)

But if you want to configure specific password expiration dates, uncheck the box and mention the number of days you want the password to expire after. Then, the password will expire after the specified number of days.

set the password to never expire in admin center

Set Password Never Expire Using MS Graph PowerShell:

With Office 365 admin center, it is only possible to set password expiration policies across the entire organization. Then, how will you set only a particular Office 365 user’s password to never expire? Unfortunately, no! Admin center failed to help here.

So there comes PowerShell to the rescue. The downside of PowerShell cmdlets is that Microsoft recently announced that MS online and Azure AD modules will be deprecated. Even though it still works, managing passwords through Graph PowerShell is the best approach.

Initially make sure to install and connect with the Microsoft Graph module, and proceed to run the cmdlets.

Manage Office 365 Users’ Password Expiration Policy:

Set Password to Never Expire for a Single User:

After connecting with MS Graph, replace the <user id> with the object id of the user you wish to set the password never expiration policy.
If you wish to get your Office 365 users’ User Id, you can use the Get-MgUser cmdlet.

Update-MgUser –UserId 564f62c4-29cd-4d69-b1a0-51e9a6fca404 -PasswordPolicies DisablePasswordExpiration

Enable Password Never Expire for Bulk Office 365 Users:

Would it be possible to set the password to never expire configuration for bulk users? Is there a way to do it? The problem can be solved by importing a CSV file with the list of users that you want to configure passwords to never expire.

Required Fields in CSV file:

Create a CSV file with the user’s object ID whose password should never expire.

import CSV file for configuring multiple user's password to never expire

Connect-MgGraph
$UserId = Import-Csv "C:\setpwdexpiry.csv" | ForEach-Object { $upn = $_."UserId" 
Write-Progress -Activity "Setting password to never expire to -$upn"
Update-MgUser -UserId $upn -PasswordPolicies DisablePasswordExpiration
If($?)
{
Write-Host Password never expired set to $upn  -ForegroundColor Green
}
Else
{
Write-Host Error occurred while setting password to never expire to $upn -ForegroundColor Red
}
}

Set Password Never Expire for All Users:

To set the password never expire for all users, run the below script.

Get-MgUser -All | foreach {
$Id=$_.Id
$DisplayName=$_.DisplayName
Write-Progress "Set password never expires to $DisplayName"
Update-MgUser –UserId $Id -PasswordPolicies DisablePasswordExpiration
If($?)
{
Write-Host Password never expired set to $DisplayName  -ForegroundColor Green
}
Else
{
Write-Host Error occurred while setting password to never expire to $DisplayName -ForegroundColor Red
}
}

Remove the Password Never Expires in Office 365 Users:

Similarly, removing the “password never expires setup” for an individual user is super easy. You can replace the value of the -PasswordPolicies parameter with None. That’s it! This removes the password set to never expire.

Update-MgUser –UserId 564f62c4-29cd-4d69-b1a0-51e9a6fca404 -PasswordPolicies None

Bulk Remove Password Never Expire for Office 365 Users:

If you want to remove the “password never expires policy” for a group of users, you can do it in the same way that you would set up a password that will never expire. Replace -PasswordPolicies with None.Run the below cmdlet to remove the password never expire policy.

Connect-MgGraph
$UserId = Import-Csv "C:\setpwdexpiry.csv" | ForEach-Object { $upn = $_."UserId" 
Write-Progress -Activity "Setting password to never expire to -$upn"
Update-MgUser -UserId $upn -PasswordPolicies None
If($?)
{
Write-Host Password never expired removed from $upn  -ForegroundColor Green
}
Else
{
Write-Host Error occurred while removing password never expire from $upn -ForegroundColor Red
}
}

That’s it! This is how we can configure the passwords to never expire using MS Graph PowerShell.

Lastly, one thing to note, do you have a way of tracking when your users last changed their passwords? Can that be found?

Yes, you can monitor Office 365 users’ last password change date with this script.

Export Office 365 Users’ Last Password Change Date to CSV:

This script comes up with numerous use-cases like you can generate multiple password reports using this script. Some of the few significant reports are

  • Get Office 365 Users Password Expiration Date Report
  • Export Office 365 Password Expired Users Report
  • List Office 365 Users Whose Password Set to Never Expires
  • Check All Licensed Users’ Password Last Change Time and Expiry Date
  • Get Password Expiry Report for Enabled Users
  • Soon to Expire Password Users Report
  • Recent Password Changers Report

Script Highlights:

  • A single script allows you to generate 7 different password reports.
  • The script can be executed with MFA-enabled accounts too.
  • Exports output to CSV.
  • You can filter results to display Licensed users alone.
  • The script is scheduler friendly. i.e., Credentials can be passed as a parameter instead of saved inside the script.

Export Office 365 Users’ Password Expiry Date – Sample Report:

The output of the password expiry report contains the most essential attributes like Display Name, User Principal Name, Password last Change Date, Password Since Last Set (Password Age), Password Expiry Date, Friendly Expiry Time, License Status and Days Since Expiry/Days to Expiry.

Office-365-users-last-password-change-date-report

Master Microsoft 365 Password Reporting with AdminDroid

We have previously discussed how to make Microsoft 365 passwords never expire, but to enforce a strong Microsoft 365 password policy, we need to do more! As such, it is essential to monitor additional reports beyond these measures. Regrettably, native Office 365 reporting lacks clear statistics, and Microsoft has failed to lend a hand with efficient Microsoft 365 password report analysis.

Don’t fret! Microsoft’s assistance may have fallen short, but fear not, as AdminDroid Microsoft 365 reporting tool emerges as your ultimate savior, which will help you streamline your administrative tasks. 💯

AdminDroid provides an in-depth look into every password activity with a more granular view. Let’s see a few of the Microsoft 365 password reports by AdminDroid which will amaze you for sure.

Password Reports:

  • Password Expired Users.
  • Soon-To-Password Expire Users
  • Password Never Expire Users
  • Users with Password Expiry
  • Password Never Changed Users
  • Password Not Changed in 90 Days
  • Recent Password Changes
  • Users with Weak Passwords Allowed
  • Password Policies

Audit Microsoft 365 Password Changes

  • Password Reset by Admin
  • User Password Changes
  • Password Reset Forced by Admins
  • Self-Service Password Resets
  • All Password Changes

All Password Changes Report in Microsoft 365

AdminDroid Password Dashboard

That feels like plenty of reports! Guess what? You won’t believe it, but you can get all Azure AD reports for absolutely FREE. Yes, AdminDroid Microsoft 365 reporter lets you grab all the Azure AD reports without spending a dime.

Buckle up for an offer that’s too good to be true! So, get started now and take advantage of the free Azure AD reporting tool, which provides 120+ reports with a comprehensive view of the organization’s groups, group membership changes, users, licenses, user logins, password changes, etc. Download AdminDroid and experience the control of your Office 365 organization in real-time.

Lastly, I hope this blog was useful for setting up the password to never expire simultaneously for single users and bulk users. If you have any further questions on this, drop your queries in the comment section!

Set Office 365 Users’ Password to Never Expire Using MS Graph PowerShell

by Pavithra time to read: 6 min
0