Force password change for all users in Office 365

​This seems to be a frequent request, so here’s how to do it. To force a user to change his password on next login, without actually changing the password on his behalf:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

To force a group of users to change their passwords:

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

Or use any other criteria, as appropriate. Note that you have to use both the ForceChangePassword and ForceChangePasswordOnly parameters. If you skip the ForceChangePasswordOnly, a new password will be generated for the user and you will need to distribute it.

Speaking of this scenario, here’s an old script I used to reset passwords in the format used by Office 365 (i.e. 8 char password, starting with a Capital letter, three lowercase letters and four numbers):

$users = Get-MsolUser –All
$arrMsolUserData = @()

foreach ($user in $users) {

if ($user.UserPrincipalName -eq "user@tenant.onmicrosoft.com") { continue; }
$objProperties = New-Object PSObject

$Password = ""
$Password += ([char[]]"ABCDEFGHIJKLMNOPQRSTUVWXYZ" | Get-Random)
$Password += $(1..3 | % { [char[]]"abcdefghijklmnopqrstuvwxyz" | Get-Random }) -join ""
$Password += $(1..4 | % { [char[]]"0123456789" | Get-Random }) -join ""

Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -NewPassword $Password -ForceChangePassword $false

Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $user.UserPrincipalName
Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "Password" -Value $Password

$arrMsolUserData += $objProperties
}

$arrMsolUserData
$arrMsolUserData | Export-Csv -Path "C:\passwords.csv" –NoTypeInformation

You can exclude the admin account or just filter out the users you need instead of using All. The list of users and new passwords will be exported to CSV, which you can use to redistribute them. Have fun 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

4 Responses to Force password change for all users in Office 365

  1. Ricky says:

    It would be nice if you would show where these scripts are utilized within the Office 365 Admin environment.

  2. Micah Jones says:

    How do you specify all the users of a specific security group? I’ve been reading powershell articles all morning and haven’t found the answer.

    • Vasil Michev says:

      You will have to use the Get-MsolGroupMember or the Get-DistributionGroupMember cmdlets. That’s assuming you are talking about group that exists in O365.

Leave a Reply

Your email address will not be published. Required fields are marked *