Set Office 365 user password to never expire via the AzureAD PowerShell module

With the AzureAD module now in GA, we should start updating our scripts and skills to take advantage of the new cmdlets. In case you need additional information about the Azure AD PowerShell module, its installation and use, make sure to check the documentation here.

I plan to release a series of articles detailing on how to perform the most common tasks via the new module, at least the ones that aren’t obvious that is. The first such example is disabling password expiration for a user account. It was actually a question over at the Azure AD forums, but I guess it deserves a bit more visibility. So here’s how to do it:

Set-AzureADUser -ObjectId efd8f64f-a605-4a39-85ca-d78150b8765d -PasswordPolicies DisablePasswordExpiration

Of course, using ObjectIds will only get you so far, so here’s an easier to handle example:

Get-AzureADUser -SearchString | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

If you want to do this for all users:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

To get a list of users with password set to never expire:

Get-AzureADUser | ? {$_.PasswordPolicies -match "DisablePasswordExpiration"}

Note the use of the –match operator above, reason being the poor handling of the PasswordPolicies parameter in the current version of the module. It’s a string parameter, with only two values allowed (DisablePasswordExpiration and DisableStrongPassword). Being a string however, you can easily overwrite it – setting DisablePasswordExpiration will remove the DisableStrongPassword value, and vice versa. While the latter value is hardly anything you would be using, a proper use of the cmdlet will need to make sure that values are preserved.

As a reminder, here’s how to disable password expiration via the old MSOL module:

Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true

Or for all users:

Get-MsolUser -All | Set-MsolUser -PasswordNeverExpires $true
This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

10 Responses to Set Office 365 user password to never expire via the AzureAD PowerShell module

  1. Sri Ram says:

    Hi, When I try to run the query in PowerShell I was getting parameter issue for password policies. Error details below. Can someone help please.

    PS C:\windows\system32> Set-AzADUser -ObjectId -PasswordPolicies DisablePasswordExpiration
    Update-AzADUser : A parameter cannot be found that matches parameter name ‘PasswordPolicies’.
    At line:1 char:51
    + … ADUser -ObjectId -PasswordPolicies Disable …
    + ~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Update-AzADUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand

  2. Alon says:

    I was looking a way to revert the changes to DisablePasswordExpiration via the AzureAD PowerShell module and I could not find a way.
    Instead I had to resolt to the soon to be deprecated MSOL module :
    Install-Module -Name MSOnline
    Set-MsolUser -UserPrincipalName usertobemodified@domainblabla -PasswordNeverExpires $false

  3. Nick says:

    Hey there,

    I have a quick question. I cannot find anywhere how to remove the DisablePasswordExpiration policy from an account’s PasswordPolicies within Azure AD. Would you have any idea on how to revert the adding of the DisablePasswordExpiration policy?


    • Vasil Michev says:

      I’ve no idea, it seems like they are using an enumeration that only accepts two values, DisablePasswordExpiration and DisableStrongPassword, and no “null” value. So if you are fine with setting the DisableStrongPassword flag, you can clear the DisablePasswordExpiration, but I couldn’t find a way to clear them both. Just another stupid limitation of the Graph I guess, use the MSOL module instead.

  4. Pingback: Set-Office 365 user password to never expire via the AzureAD PowerShell module –

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.