Setting password expirations in Azure Active Directory using PowerShell
How to check and set the AAD password expiration policy
Recently, I needed to set some password expirations policies on our Azure Active Directory (AAD).
note: you need to be a Global Administrator to query the users
What I found was that I needed to use PowerShell 5 on a Windows platform. I used Windows 10 but you can find more details here.
You can find your PowerShell version by running:
PS C:\Windows\system32> Get-Host
Name : ConsoleHost
Version : 5.1.17763.771
InstanceId : 7b9755d2-93ff-4bbb-8150-0a2d4d4fb16d
UI : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture : en-US
CurrentUICulture : en-US
PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled : True
IsRunspacePushed : False
Runspace : System.Management.Automation.Runspaces.LocalRunspace
Install the Microsoft Online modules
More details can be found here.
Install-Module MSOnline
Import-Module MSOnline
Connect-MSOLService
View the AAD tenant password policy
$passwordPolicy=Get-MsolPasswordPolicy -DomainName mydomain.onmicrosoft.com
View the password expiration for a specific user
Get-MsolUser -UserPrincipalName "kam@mydomain.onmicrosoft.com" | Select-Object UserPrincipalName, LastPasswordChangeTimestamp, @{Name='Expires'; Expression={$_.LastPasswordChangeTimestamp.AddDays($passwordPolicy.ValidityPeriod) }}
View all tenant users password expiration
Get-MsolUser | Select-Object UserPrincipalName, LastPasswordChangeTimestamp, @{Name='Expires'; Expression={$_.LastPasswordChangeTimestamp.AddDays($passwordPolicy.ValidityPeriod) }}
Set the password expiration policy
Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14
Even though AzureAD module has some support for this, the entire set of Msol tools have not been fully migrated