Setting password expirations in Azure Active Directory using PowerShell

Recently, I needed to set some password expirations policies on our Azure Active Directory (AAD).

note: you need to be a Global Administrator to query the users

What I found was that I needed to use PowerShell 5 on a Windows platform. I used Windows 10 but you can find more details here.

You can find your PowerShell version by running:

PS C:\Windows\system32> Get-Host


Name             : ConsoleHost
Version          : 5.1.17763.771
InstanceId       : 7b9755d2-93ff-4bbb-8150-0a2d4d4fb16d
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : en-US
CurrentUICulture : en-US
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace

Install the Microsoft Online modules

More details can be found here.

Install-Module MSOnline
Import-Module MSOnline
Connect-MSOLService

View the AAD tenant password policy

$passwordPolicy=Get-MsolPasswordPolicy -DomainName mydomain.onmicrosoft.com

View the password expiration for a specific user

Get-MsolUser -UserPrincipalName "kam@mydomain.onmicrosoft.com" | Select-Object UserPrincipalName, LastPasswordChangeTimestamp, @{Name='Expires'; Expression={$_.LastPasswordChangeTimestamp.AddDays($passwordPolicy.ValidityPeriod) }}

View all tenant users password expiration

Get-MsolUser | Select-Object UserPrincipalName, LastPasswordChangeTimestamp, @{Name='Expires'; Expression={$_.LastPasswordChangeTimestamp.AddDays($passwordPolicy.ValidityPeriod) }}

Set the password expiration policy

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14

hat tip 1
hat tip 2

Even though AzureAD module has some support for this, the entire set of Msol tools have not been fully migrated