Force password change for all users in Office 365

​This seems to be a frequent request, so here’s how to do it. To force a user to change his password on next login, without actually changing the password on his behalf:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

To force a group of users to change their passwords:

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

Or use any other criteria, as appropriate. Note that you have to use both the ForceChangePassword and ForceChangePasswordOnly parameters. If you skip the ForceChangePasswordOnly, a new password will be generated for the user and you will need to distribute it.

Speaking of this scenario, here’s an old script I used to reset passwords in the format used by Office 365 (i.e. 8 char password, starting with a Capital letter, three lowercase letters and four numbers):

$users = Get-MsolUser –All
$arrMsolUserData = @()

foreach ($user in $users) {

if ($user.UserPrincipalName -eq "user@tenant.onmicrosoft.com") { continue; }
$objProperties = New-Object PSObject

$Password = ""
$Password += ([char[]]"ABCDEFGHIJKLMNOPQRSTUVWXYZ" | Get-Random)
$Password += $(1..3 | % { [char[]]"abcdefghijklmnopqrstuvwxyz" | Get-Random }) -join ""
$Password += $(1..4 | % { [char[]]"0123456789" | Get-Random }) -join ""

Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -NewPassword $Password -ForceChangePassword $false

Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $user.UserPrincipalName
Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "Password" -Value $Password

$arrMsolUserData += $objProperties
}

$arrMsolUserData
$arrMsolUserData | Export-Csv -Path "C:\passwords.csv" –NoTypeInformation

You can exclude the admin account or just filter out the users you need instead of using All. The list of users and new passwords will be exported to CSV, which you can use to redistribute them. Have fun 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

18 Responses to Force password change for all users in Office 365

  1. Ricky says:

    It would be nice if you would show where these scripts are utilized within the Office 365 Admin environment.

  2. Micah Jones says:

    How do you specify all the users of a specific security group? I’ve been reading powershell articles all morning and haven’t found the answer.

    • Vasil Michev says:

      You will have to use the Get-MsolGroupMember or the Get-DistributionGroupMember cmdlets. That’s assuming you are talking about group that exists in O365.

  3. Hal says:

    Really good post! For a newbie to Exchange administration (forced really), this is very helpful.

    Curious if there is a way to reverse the force all users to reset their password. Replacing True with False creates new passwords.

    Thank you!

  4. nat c says:

    this can only be done through scripts? why doesn’t microsoft have an easy way to do something so important!

    • Vasil Michev says:

      Which part exactly? Bulk changing passwords is available in the Admin portal. If you just want to toggle the reset password flag, you have to use PowerShell.

  5. Scott C says:

    This is beating the crap out of me, I’ve tried both:
    Set-MsolUserPassword -UserPrincipalName username@our-domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true
    AND
    Set-MsolUserPassword -ObjectID -ForceChangePasswordOnly $true -ForceChangePassword $true
    It worked for two users (myself included) but not for three others.
    I get no error, it looks like the command was issued.
    When I run:
    Get-MsolUser -userprincipalname username@our-domain.com | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}
    It returns valid information (user / last changed / pw age) so I’ve got the correct user principal name.
    Get-MsolUser returns the entire user list so it’s not an authentication issue with me.
    I’m stumped… any thoughts would be appreciated.

  6. Scott C says:

    An addendum to my question.
    The directions above say that it will force a password change at next login.
    Does that mean Office 365 login or PC login?
    For the two of us who had our passwords expired, it was logoff / login to Office 365 but I can believe that there could be something cached requiring a PC logoff / login.
    The other test subjects couldn’t logoff their PC till the end of the day so I’ll see then.

  7. Scott C says:

    No password writeback.

    For the three users that were not prompted immediately:
    User1 was prompted about 3 hours later within Outlook. Changed his password on the O365 portal. Outlook accepted the new password. He did not change the password on his phone yet it continued to work with the old password.
    User2’s email stopped working. He logged onto webmail and was prompted to change password. He started his MacBook laptop and the Outlook application. He was not prompted to change the Outlook for MAC password yet mail flowed to and from the application.
    User3 didn’t attempt to access email via Outlook till the next morning at which time he was prompted to reset the password.

    We do not use federation nor do we sync Azure passwords locally but this link enables users to change their own password. https://account.activedirectory.windowsazure.com/ChangePassword.aspx

    I don’t really expect you to troubleshoot my problems, I just wanted to get them out there in case you or someone else had any quick idea why they were happening. The delay in triggering the change is a problem but the inconsistency is the real issue.

    • Vasil Michev says:

      OK, I get it now, and this is pretty much expected. There’s a lot of caching happening on the backend and the middle-tier, so it’s normal that credentials don’t expire immediately. It’s one of the reasons why simply changing the password for a “leaver” is not a complete solution.

      In addition, the applications themselves can store credentials and even cause issues by trying to reuse the old password.

  8. Bob says:

    Vasil,

    can we force notification (standard one like 14 days) for password change for a user or groups?

    thanks

  9. Pingback: Cambio password utenti di dominio Office 365 (GDPR) – ExploitNetworking

  10. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

  11. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

Leave a Reply

Your email address will not be published. Required fields are marked *