With the AzureAD module now in GA, we should start updating our scripts and skills to take advantage of the new cmdlets. In case you need additional information about the Azure AD PowerShell module, its installation and use, make sure to check the documentation here.
I plan to release a series of articles detailing on how to perform the most common tasks via the new module, at least the ones that aren’t obvious that is. The first such example is disabling password expiration for a user account. It was actually a question over at the Azure AD forums, but I guess it deserves a bit more visibility. So here’s how to do it:
Set-AzureADUser -ObjectId efd8f64f-a605-4a39-85ca-d78150b8765d -PasswordPolicies DisablePasswordExpiration
Of course, using ObjectIds will only get you so far, so here’s an easier to handle example:
Get-AzureADUser -SearchString user@domain.com | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration
If you want to do this for all users:
Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration
To get a list of users with password set to never expire:
Get-AzureADUser | ? {$_.PasswordPolicies -match "DisablePasswordExpiration"}
Note the use of the –match operator above, reason being the poor handling of the PasswordPolicies parameter in the current version of the module. It’s a string parameter, with only two values allowed (DisablePasswordExpiration and DisableStrongPassword). Being a string however, you can easily overwrite it – setting DisablePasswordExpiration will remove the DisableStrongPassword value, and vice versa. While the latter value is hardly anything you would be using, a proper use of the cmdlet will need to make sure that values are preserved.
As a reminder, here’s how to disable password expiration via the old MSOL module:
Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true
Or for all users:
Get-MsolUser -All | Set-MsolUser -PasswordNeverExpires $true
Hi, When I try to run the query in PowerShell I was getting parameter issue for password policies. Error details below. Can someone help please.
PS C:\windows\system32> Set-AzADUser -ObjectId -PasswordPolicies DisablePasswordExpiration
Update-AzADUser : A parameter cannot be found that matches parameter name ‘PasswordPolicies’.
At line:1 char:51
+ … ADUser -ObjectId indukuri.sriram@israqua.in -PasswordPolicies Disable …
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Update-AzADUser], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand
The Az module cmdlets are not interchangeable with the AzureAD ones, just use the Azure AD module.
These do not seem to work in Powershell v7.0 in both windows and linux. I’m using the command Set-AzureADUser -ObjectId user@enterinit.com -PasswordPolicies DisablePasswordExpiration and getting the error: Set-AzureADUser: The term ‘Set-AzureADUser’ is not recognized as a name of a cmdlet, function, script file, or executable program.
The module is NOT supported on PSCore, as clearly noted in the documentation: https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide
Use good old Windows PowerShell, the AzureAD.Standard.Preview module (which does support PSCore) or call the Graph API endpoints directly.
I was looking a way to revert the changes to DisablePasswordExpiration via the AzureAD PowerShell module and I could not find a way.
Instead I had to resolt to the soon to be deprecated MSOL module :
Install-Module -Name MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName usertobemodified@domainblabla -PasswordNeverExpires $false
Set-AzureADUser -ObjectId -PasswordPolicies None
Oh, they finally support it then. Thanks Gary! 🙂
Hey there,
I have a quick question. I cannot find anywhere how to remove the DisablePasswordExpiration policy from an account’s PasswordPolicies within Azure AD. Would you have any idea on how to revert the adding of the DisablePasswordExpiration policy?
Thanks!
Nick
I’ve no idea, it seems like they are using an enumeration that only accepts two values, DisablePasswordExpiration and DisableStrongPassword, and no “null” value. So if you are fine with setting the DisableStrongPassword flag, you can clear the DisablePasswordExpiration, but I couldn’t find a way to clear them both. Just another stupid limitation of the Graph I guess, use the MSOL module instead.