Set Office 365 user password to never expire via the AzureAD PowerShell module

With the AzureAD module now in GA, we should start updating our scripts and skills to take advantage of the new cmdlets. In case you need additional information about the Azure AD PowerShell module, its installation and use, make sure to check the documentation here.

I plan to release a series of articles detailing on how to perform the most common tasks via the new module, at least the ones that aren’t obvious that is. The first such example is disabling password expiration for a user account. It was actually a question over at the Azure AD forums, but I guess it deserves a bit more visibility. So here’s how to do it:

Set-AzureADUser -ObjectId efd8f64f-a605-4a39-85ca-d78150b8765d -PasswordPolicies DisablePasswordExpiration

Of course, using ObjectIds will only get you so far, so here’s an easier to handle example:

Get-AzureADUser -SearchString user@domain.com | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

If you want to do this for all users:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

To get a list of users with password set to never expire:

Get-AzureADUser | ? {$_.PasswordPolicies -match "DisablePasswordExpiration"}

Note the use of the –match operator above, reason being the poor handling of the PasswordPolicies parameter in the current version of the module. It’s a string parameter, with only two values allowed (DisablePasswordExpiration and DisableStrongPassword). Being a string however, you can easily overwrite it – setting DisablePasswordExpiration will remove the DisableStrongPassword value, and vice versa. While the latter value is hardly anything you would be using, a proper use of the cmdlet will need to make sure that values are preserved.

As a reminder, here’s how to disable password expiration via the old MSOL module:

Set-MsolUser -UserPrincipalName user@domain.com -PasswordNeverExpires $true

Or for all users:

Get-MsolUser -All | Set-MsolUser -PasswordNeverExpires $true

10 thoughts on “Set Office 365 user password to never expire via the AzureAD PowerShell module

  1. Sri Ram says:

    Hi, When I try to run the query in PowerShell I was getting parameter issue for password policies. Error details below. Can someone help please.

    PS C:\windows\system32> Set-AzADUser -ObjectId -PasswordPolicies DisablePasswordExpiration
    Update-AzADUser : A parameter cannot be found that matches parameter name ‘PasswordPolicies’.
    At line:1 char:51
    + … ADUser -ObjectId indukuri.sriram@israqua.in -PasswordPolicies Disable …
    + ~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Update-AzADUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand

    Reply
    1. Vasil Michev says:

      The Az module cmdlets are not interchangeable with the AzureAD ones, just use the Azure AD module.

      Reply
      1. john says:

        These do not seem to work in Powershell v7.0 in both windows and linux. I’m using the command Set-AzureADUser -ObjectId user@enterinit.com -PasswordPolicies DisablePasswordExpiration and getting the error: Set-AzureADUser: The term ‘Set-AzureADUser’ is not recognized as a name of a cmdlet, function, script file, or executable program.

        Reply
  2. Alon says:

    I was looking a way to revert the changes to DisablePasswordExpiration via the AzureAD PowerShell module and I could not find a way.
    Instead I had to resolt to the soon to be deprecated MSOL module :
    Install-Module -Name MSOnline
    Connect-MsolService
    Set-MsolUser -UserPrincipalName usertobemodified@domainblabla -PasswordNeverExpires $false

    Reply
      1. Vasil Michev says:

        Oh, they finally support it then. Thanks Gary! 🙂

        Reply
  3. Nick says:

    Hey there,

    I have a quick question. I cannot find anywhere how to remove the DisablePasswordExpiration policy from an account’s PasswordPolicies within Azure AD. Would you have any idea on how to revert the adding of the DisablePasswordExpiration policy?

    Thanks!
    Nick

    Reply
    1. Vasil Michev says:

      I’ve no idea, it seems like they are using an enumeration that only accepts two values, DisablePasswordExpiration and DisableStrongPassword, and no “null” value. So if you are fine with setting the DisableStrongPassword flag, you can clear the DisablePasswordExpiration, but I couldn’t find a way to clear them both. Just another stupid limitation of the Graph I guess, use the MSOL module instead.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.