Force password change for all users in Office 365

​This seems to be a frequent request, so here’s how to do it. To force a user to change his password on next login, without actually changing the password on his behalf:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

To force a group of users to change their passwords:

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

Or use any other criteria, as appropriate. Note that you have to use both the ForceChangePassword and ForceChangePasswordOnly parameters. If you skip the ForceChangePasswordOnly, a new password will be generated for the user and you will need to distribute it.

Speaking of this scenario, here’s an old script I used to reset passwords in the format used by Office 365 (i.e. 8 char password, starting with a Capital letter, three lowercase letters and four numbers):

$users = Get-MsolUser –All
$arrMsolUserData = @()

foreach ($user in $users) {

if ($user.UserPrincipalName -eq "user@tenant.onmicrosoft.com") { continue; }
$objProperties = New-Object PSObject

$Password = ""
$Password += ([char[]]"ABCDEFGHIJKLMNOPQRSTUVWXYZ" | Get-Random)
$Password += $(1..3 | % { [char[]]"abcdefghijklmnopqrstuvwxyz" | Get-Random }) -join ""
$Password += $(1..4 | % { [char[]]"0123456789" | Get-Random }) -join ""

Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -NewPassword $Password -ForceChangePassword $false

Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $user.UserPrincipalName
Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "Password" -Value $Password

$arrMsolUserData += $objProperties
}

$arrMsolUserData
$arrMsolUserData | Export-Csv -Path "C:\passwords.csv" –NoTypeInformation

You can exclude the admin account or just filter out the users you need instead of using All. The list of users and new passwords will be exported to CSV, which you can use to redistribute them. Have fun 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

58 Responses to Force password change for all users in Office 365

  1. Haitham Badarin says:

    Hi,
    Thanks for the amazing post, Large number of users in my tenant still use a default password which is related to their upn, i want to warn them by forcing a temporary block of accounts for say 2 or 4 hours on certain day if they keep using the default password. how should i do that? how to get users who are still using the default password and how to block them based on this criteria.

    Thanks

  2. Silver says:

    Hi,

    We have an issue whereby users are able to access O365 with expired passwords. I investigated and found this explanation from a Microsoft forum: “if a user is in the scope of password synchronization, the cloud account password is set to Never Expire. Which means users can continue to sign in to their cloud services by using a synchronized password that is expired in your on-premises environment. Their cloud passwords are updated the next time you change the password in the on-premises environment –> https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_password-mso_o365b/office-365-hybrid-log-in-after-password-expired/ac61216d-85fd-44f5-911f-a76c35fb4a94

    My question is: How can we ensure that expired passwords are not able to be used on O365?

    Thanks.

    ST

  3. Len Ross says:

    Truly a solution written by a programmer, for a programmer, with no empathy for how a non-programmer will receive. Where does one even go to paste this code? I guess if you’re a programmer you just know.

    • Rich says:

      Without wanting to sound like an a*hole, if you don’t recognise PowerShell commands, and basic understanding of a PowerShell script…. you probably shouldn’t be here, This should be the bread and butter of all System Admins and if you’re not comfortable with it, it’s high time you got comfortable with it cause PowerShell is amazing, and is well worth investing your time in getting your head around it.

      Not a programmer, yet I understand it.

      Great Post

  4. PhilFIT says:

    Just a quick note, if you have “PasswordNeverExpires” set to “True” this won’t do a damn thing.
    In my case I had to first run:
    > Get-MsolUser -All | Set-MsolUser -PasswordNeverExpires $false
    Then run
    > Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

    • Tom Jan says:

      I’ve had opposite experience.
      Coupled with Revoke-AzureADUserAllRefreshToken it does what is intended. User sessions are disrupted and next sign in forces password change. Worked for my tenant even though Get-MsolUser property PasswordNeverExpires is indeed $True.

      • Krisen Kuppusamy says:

        Hi Tom, did you run the Revoke-AzureADUserAllRefreshToken separately or included it as part of Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true
        thanks,
        Krisen

  5. Pingback: Force change passwords group of users Office 365 [MCS365] – 365 admin service

  6. Andrea Palazzi says:

    Could you provide a script that is going to force such change for all the members of a specific groups?

    Get-MsolUser -All | ? {$_.Country -eq “USA”} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

    if a group is 1234@contoso.org….. how the script should look like

  7. Daniel Fuentes says:

    Hey Vasil,

    I’m trying to execute a script that will force a specific Group in Azure to change their passwords upon next login, however, after executing it against a test group that just includes myself, it doesn’t seem to be doing anything.

    Can you assist in identifying what I may be doing wrong?

    $users = Get-MsolGroupMember -GroupObjectID “”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx””

    foreach ($users in $user) {
    Set-MsolUserPassword -UserPrincipalName “$users@domain.com” -ForceChangePasswordOnly $true -ForceChangePassword $true
    }

    Any & all input would be greatly appreciated!

    • Vasil Michev says:

      Your loop is all wrong, try something like this:

      foreach ($user in $users) {
      Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -ForceChangePasswordOnly $true -ForceChangePassword $true
      }

      • Simon Hand says:

        hey there

        trying to get this working but im getting error when running this. Need to force the password change for users in a group. ive copied what you have here but no joy

        cannot bind argument to parameter userprincipalname because it is null

        a powershell virgin meself, ive done just a copy of what you have in your reply to Daniel.

        • Vasil Michev says:

          Did you set the $users variable first?

        • Simon Hand says:

          The error was saying the upn is null. There is no UPN field being populated when you run the command.
          the group doesnt seem to have this column of upn. i got it working by setting it to use the email

          $users = Get-MsolGroupMember -GroupObjectID “”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx””

          foreach ($user in $users) {
          Set-MsolUserPassword -UserPrincipalName $user.EmailAddress -ForceChangePasswordOnly $true -ForceChangePassword $true

          Is there a risk in using the email address rather than the UPN for this?

        • Vasil Michev says:

          Oh you’re right, it should be using EmailAddress. That’s what happens when I try to write some script sample from memory 🙂

        • Simon Hand says:

          haha all good Vasil, appreciate your help. Last one for ye

          i know upn and email can be different. Could i make a mess by running it with the email, is there a risk using the emailaddress instead of UPN?

        • Vasil Michev says:

          Should be fine, as they are all unique within the tenant.

  8. Tom Johnson says:

    Hello Vasil, do you know if this will work for a hybrid environment?

    • Vasil Michev says:

      Define Hybrid? If passwords are managed/synced from on-premises, you need to change them there.

  9. jjako says:

    You can deactivate the option to require a user to change the password when starting the first time, by powershell and in bulk. ?????

  10. Zack says:

    Is there a way to schedule the force password change in Office 365 to be every six months?

  11. Erik Sheldon says:

    How can I set the flag for password reset on all users on next logon EXCEPT a few I want to name?

  12. Jako says:

    Dave, you have to use Set-MsolUserPassword command, not Set-MsolUser

  13. Dave says:

    I’ve got the MSOnline module installed but I’m getting an error message:

    A parameter cannot be found that matches parameter name ‘ForceChangePasswordOnly’

  14. Nick says:

    Can this be done in powershell if not using Azure AD? I use powershell to set mailbox permissions, etc. but when I attempt these commands I get an error that states ‘Set-MsolUserPassword’ in is not recognized as the name of a cmdlet… ObjectNotFound, CommandNotFoundException.

    Any help would be appreciated.

    Thank you.

  15. John says:

    Great work, thank you. Has anyone managed to do this from a CSV file for force password change on next logon?

    • Vasil Michev says:

      Hi John, I see you already got the answer on EE, but for any future enquiries:

      Assuming you have a blabla.csv with a column UPN to designate the users:

      Improt-CSV blabla.csv | % { Set-MsolUserPassword -UserPrincipalName $_.UPN -ForceChangePasswordOnly $true -ForceChangePassword $true }

  16. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

  17. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

  18. Pingback: Cambio password utenti di dominio Office 365 (GDPR) – ExploitNetworking

  19. Bob says:

    Vasil,

    can we force notification (standard one like 14 days) for password change for a user or groups?

    thanks

  20. Scott C says:

    No password writeback.

    For the three users that were not prompted immediately:
    User1 was prompted about 3 hours later within Outlook. Changed his password on the O365 portal. Outlook accepted the new password. He did not change the password on his phone yet it continued to work with the old password.
    User2’s email stopped working. He logged onto webmail and was prompted to change password. He started his MacBook laptop and the Outlook application. He was not prompted to change the Outlook for MAC password yet mail flowed to and from the application.
    User3 didn’t attempt to access email via Outlook till the next morning at which time he was prompted to reset the password.

    We do not use federation nor do we sync Azure passwords locally but this link enables users to change their own password. https://account.activedirectory.windowsazure.com/ChangePassword.aspx

    I don’t really expect you to troubleshoot my problems, I just wanted to get them out there in case you or someone else had any quick idea why they were happening. The delay in triggering the change is a problem but the inconsistency is the real issue.

    • Vasil Michev says:

      OK, I get it now, and this is pretty much expected. There’s a lot of caching happening on the backend and the middle-tier, so it’s normal that credentials don’t expire immediately. It’s one of the reasons why simply changing the password for a “leaver” is not a complete solution.

      In addition, the applications themselves can store credentials and even cause issues by trying to reuse the old password.

      • me says:

        M$ have blown security right out of the water with 365. Once a user is comprised in your business you are fucked. That user sends out an email to all other users who then may enter their password to what looks like a 365 login screen sent by your ceo. Fucked. Try disabling all users and prompting for password resets “immediately”. User credentials are signed and last for as long as the default 365 setting is, which is generally an hour. In that hour, I can tell you, the hackers run rampant and gather as much of your data as possible before they are finally closed out. Users get comprised left and right in a large organisation long before you can log into mso or other portal where the process of “security” is so obfuscated in the typical M$ garbage that it is impossible to gather what has been done, shut if off by pulling a plug immediately and to take back control. This is a massive fuck around and M$ is to blame. I mean remote powershell active by default for ALL users? Seriously wtf?!?

  21. Scott C says:

    An addendum to my question.
    The directions above say that it will force a password change at next login.
    Does that mean Office 365 login or PC login?
    For the two of us who had our passwords expired, it was logoff / login to Office 365 but I can believe that there could be something cached requiring a PC logoff / login.
    The other test subjects couldn’t logoff their PC till the end of the day so I’ll see then.

  22. Scott C says:

    This is beating the crap out of me, I’ve tried both:
    Set-MsolUserPassword -UserPrincipalName username@our-domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true
    AND
    Set-MsolUserPassword -ObjectID -ForceChangePasswordOnly $true -ForceChangePassword $true
    It worked for two users (myself included) but not for three others.
    I get no error, it looks like the command was issued.
    When I run:
    Get-MsolUser -userprincipalname username@our-domain.com | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}
    It returns valid information (user / last changed / pw age) so I’ve got the correct user principal name.
    Get-MsolUser returns the entire user list so it’s not an authentication issue with me.
    I’m stumped… any thoughts would be appreciated.

  23. nat c says:

    this can only be done through scripts? why doesn’t microsoft have an easy way to do something so important!

    • Vasil Michev says:

      Which part exactly? Bulk changing passwords is available in the Admin portal. If you just want to toggle the reset password flag, you have to use PowerShell.

  24. Hal says:

    Really good post! For a newbie to Exchange administration (forced really), this is very helpful.

    Curious if there is a way to reverse the force all users to reset their password. Replacing True with False creates new passwords.

    Thank you!

  25. Micah Jones says:

    How do you specify all the users of a specific security group? I’ve been reading powershell articles all morning and haven’t found the answer.

    • Vasil Michev says:

      You will have to use the Get-MsolGroupMember or the Get-DistributionGroupMember cmdlets. That’s assuming you are talking about group that exists in O365.

    • John Davies says:

      Did you manage to script this? I know it is going back a while.

      Thanks

  26. Ricky says:

    It would be nice if you would show where these scripts are utilized within the Office 365 Admin environment.

Leave a Reply to Zack Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.