Set Office 365 user password to never expire via the AzureAD PowerShell module

With the AzureAD module now in GA, we should start updating our scripts and skills to take advantage of the new cmdlets. In case you need additional information about the Azure AD PowerShell module, its installation and use, make sure to check the documentation here.

I plan to release a series of articles detailing on how to perform the most common tasks via the new module, at least the ones that aren’t obvious that is. The first such example is disabling password expiration for a user account. It was actually a question over at the Azure AD forums, but I guess it deserves a bit more visibility. So here’s how to do it:

Set-AzureADUser -ObjectId efd8f64f-a605-4a39-85ca-d78150b8765d -PasswordPolicies DisablePasswordExpiration

Of course, using ObjectIds will only get you so far, so here’s an easier to handle example:

Get-AzureADUser -SearchString user@domain.com | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

If you want to do this for all users:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

To get a list of users with password set to never expire:

Get-AzureADUser | ? {$_.PasswordPolicies -match "DisablePasswordExpiration"}

Note the use of the –match operator above, reason being the poor handling of the PasswordPolicies parameter in the current version of the module. It’s a string parameter, with only two values allowed (DisablePasswordExpiration and DisableStrongPassword). Being a string however, you can easily overwrite it – setting DisablePasswordExpiration will remove the DisableStrongPassword value, and vice versa. While the latter value is hardly anything you would be using, a proper use of the cmdlet will need to make sure that values are preserved.

As a reminder, here’s how to disable password expiration via the old MSOL module:

Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true

Or for all users:

Get-MsolUser -All | Set-MsolUser -PasswordNeverExpires $true
This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *