Force password change for all users in Office 365

​This seems to be a frequent request, so here’s how to do it. To force a user to change his password on next login, without actually changing the password on his behalf:

Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

To force a group of users to change their passwords:

Get-MsolUser -All | ? {$_.Country -eq "USA"} | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

Or use any other criteria, as appropriate. Note that you have to use both the ForceChangePassword and ForceChangePasswordOnly parameters. If you skip the ForceChangePasswordOnly, a new password will be generated for the user and you will need to distribute it.

Speaking of this scenario, here’s an old script I used to reset passwords in the format used by Office 365 (i.e. 8 char password, starting with a Capital letter, three lowercase letters and four numbers):

$users = Get-MsolUser –All
$arrMsolUserData = @()

foreach ($user in $users) {

if ($user.UserPrincipalName -eq "user@tenant.onmicrosoft.com") { continue; }
$objProperties = New-Object PSObject

$Password = ""
$Password += ([char[]]"ABCDEFGHIJKLMNOPQRSTUVWXYZ" | Get-Random)
$Password += $(1..3 | % { [char[]]"abcdefghijklmnopqrstuvwxyz" | Get-Random }) -join ""
$Password += $(1..4 | % { [char[]]"0123456789" | Get-Random }) -join ""

Set-MsolUserPassword -UserPrincipalName $user.UserPrincipalName -NewPassword $Password -ForceChangePassword $false

Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "UserPrincipalName" -Value $user.UserPrincipalName
Add-Member -InputObject $objProperties -MemberType NoteProperty -Name "Password" -Value $Password

$arrMsolUserData += $objProperties
}

$arrMsolUserData
$arrMsolUserData | Export-Csv -Path "C:\passwords.csv" –NoTypeInformation

You can exclude the admin account or just filter out the users you need instead of using All. The list of users and new passwords will be exported to CSV, which you can use to redistribute them. Have fun 🙂

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

27 Responses to Force password change for all users in Office 365

  1. Ricky says:

    It would be nice if you would show where these scripts are utilized within the Office 365 Admin environment.

  2. Micah Jones says:

    How do you specify all the users of a specific security group? I’ve been reading powershell articles all morning and haven’t found the answer.

    • Vasil Michev says:

      You will have to use the Get-MsolGroupMember or the Get-DistributionGroupMember cmdlets. That’s assuming you are talking about group that exists in O365.

    • John Davies says:

      Did you manage to script this? I know it is going back a while.

      Thanks

  3. Hal says:

    Really good post! For a newbie to Exchange administration (forced really), this is very helpful.

    Curious if there is a way to reverse the force all users to reset their password. Replacing True with False creates new passwords.

    Thank you!

  4. nat c says:

    this can only be done through scripts? why doesn’t microsoft have an easy way to do something so important!

    • Vasil Michev says:

      Which part exactly? Bulk changing passwords is available in the Admin portal. If you just want to toggle the reset password flag, you have to use PowerShell.

  5. Scott C says:

    This is beating the crap out of me, I’ve tried both:
    Set-MsolUserPassword -UserPrincipalName username@our-domain.com -ForceChangePasswordOnly $true -ForceChangePassword $true
    AND
    Set-MsolUserPassword -ObjectID -ForceChangePasswordOnly $true -ForceChangePassword $true
    It worked for two users (myself included) but not for three others.
    I get no error, it looks like the command was issued.
    When I run:
    Get-MsolUser -userprincipalname username@our-domain.com | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}
    It returns valid information (user / last changed / pw age) so I’ve got the correct user principal name.
    Get-MsolUser returns the entire user list so it’s not an authentication issue with me.
    I’m stumped… any thoughts would be appreciated.

  6. Scott C says:

    An addendum to my question.
    The directions above say that it will force a password change at next login.
    Does that mean Office 365 login or PC login?
    For the two of us who had our passwords expired, it was logoff / login to Office 365 but I can believe that there could be something cached requiring a PC logoff / login.
    The other test subjects couldn’t logoff their PC till the end of the day so I’ll see then.

  7. Scott C says:

    No password writeback.

    For the three users that were not prompted immediately:
    User1 was prompted about 3 hours later within Outlook. Changed his password on the O365 portal. Outlook accepted the new password. He did not change the password on his phone yet it continued to work with the old password.
    User2’s email stopped working. He logged onto webmail and was prompted to change password. He started his MacBook laptop and the Outlook application. He was not prompted to change the Outlook for MAC password yet mail flowed to and from the application.
    User3 didn’t attempt to access email via Outlook till the next morning at which time he was prompted to reset the password.

    We do not use federation nor do we sync Azure passwords locally but this link enables users to change their own password. https://account.activedirectory.windowsazure.com/ChangePassword.aspx

    I don’t really expect you to troubleshoot my problems, I just wanted to get them out there in case you or someone else had any quick idea why they were happening. The delay in triggering the change is a problem but the inconsistency is the real issue.

    • Vasil Michev says:

      OK, I get it now, and this is pretty much expected. There’s a lot of caching happening on the backend and the middle-tier, so it’s normal that credentials don’t expire immediately. It’s one of the reasons why simply changing the password for a “leaver” is not a complete solution.

      In addition, the applications themselves can store credentials and even cause issues by trying to reuse the old password.

      • me says:

        M$ have blown security right out of the water with 365. Once a user is comprised in your business you are fucked. That user sends out an email to all other users who then may enter their password to what looks like a 365 login screen sent by your ceo. Fucked. Try disabling all users and prompting for password resets “immediately”. User credentials are signed and last for as long as the default 365 setting is, which is generally an hour. In that hour, I can tell you, the hackers run rampant and gather as much of your data as possible before they are finally closed out. Users get comprised left and right in a large organisation long before you can log into mso or other portal where the process of “security” is so obfuscated in the typical M$ garbage that it is impossible to gather what has been done, shut if off by pulling a plug immediately and to take back control. This is a massive fuck around and M$ is to blame. I mean remote powershell active by default for ALL users? Seriously wtf?!?

  8. Bob says:

    Vasil,

    can we force notification (standard one like 14 days) for password change for a user or groups?

    thanks

  9. Pingback: Cambio password utenti di dominio Office 365 (GDPR) – ExploitNetworking

  10. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

  11. Pingback: How to change password consumers of domain Office 365 (GDPR) – ExploitNetworking

  12. John says:

    Great work, thank you. Has anyone managed to do this from a CSV file for force password change on next logon?

    • Vasil Michev says:

      Hi John, I see you already got the answer on EE, but for any future enquiries:

      Assuming you have a blabla.csv with a column UPN to designate the users:

      Improt-CSV blabla.csv | % { Set-MsolUserPassword -UserPrincipalName $_.UPN -ForceChangePasswordOnly $true -ForceChangePassword $true }

  13. Nick says:

    Can this be done in powershell if not using Azure AD? I use powershell to set mailbox permissions, etc. but when I attempt these commands I get an error that states ‘Set-MsolUserPassword’ in is not recognized as the name of a cmdlet… ObjectNotFound, CommandNotFoundException.

    Any help would be appreciated.

    Thank you.

  14. Dave says:

    I’ve got the MSOnline module installed but I’m getting an error message:

    A parameter cannot be found that matches parameter name ‘ForceChangePasswordOnly’

  15. Jako says:

    Dave, you have to use Set-MsolUserPassword command, not Set-MsolUser

Leave a Reply to Vasil Michev Cancel reply

Your email address will not be published. Required fields are marked *