Force password change for all users in Office 365

​This seems to be a frequent request, so here’s how to do it. To force a user to change his password on next login, without actually changing the password on his behalf:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

To force a group of users to change their passwords:

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

Or use any other criteria, as appropriate. Note that you have to use both the ForceChangePassword and ForceChangePasswordOnly parameters. If you skip the ForceChangePasswordOnly, a new password will be generated for the user and you will need to distribute it.

Speaking of this scenario, here’s an old script I used to reset passwords in the format used by Office 365 (i.e. 8 char password, starting with a Capital letter, three lowercase letters and four numbers):

$users = Get-MsolUser –All
$arrMsolUserData = @()

foreach ($user in $users) {

if ($user.UserPrincipalName -eq "user@tenant.onmicrosoft.com") { continue; }
$objProperties = New-Object PSObject

$Password = ""
$Password += ([char[]]"ABCDEFGHIJKLMNOPQRSTUVWXYZ" | Get-Random)
$Password += $(1..3 | % { [char[]]"abcdefghijklmnopqrstuvwxyz" | Get-Random }) -join ""
$Password += $(1..4 | % { [char[]]"0123456789" | Get-Random }) -join ""

Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -NewPassword $Password -ForceChangePassword $false

Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $user.UserPrincipalName
Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "Password" -Value $Password

$arrMsolUserData += $objProperties
}

$arrMsolUserData
$arrMsolUserData | Export-Csv -Path "C:\passwords.csv" –NoTypeInformation

You can exclude the admin account or just filter out the users you need instead of using All. The list of users and new passwords will be exported to CSV, which you can use to redistribute them. Have fun 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

2 Responses to Force password change for all users in Office 365

  1. Ricky says:

    It would be nice if you would show where these scripts are utilized within the Office 365 Admin environment.

Leave a Reply

Your email address will not be published. Required fields are marked *