In hybrid environments managed with Active Directory, even if a password policy is specified on the Active Directory, users can access Azure resources and use all Microsoft accounts. This is because the password expiry feature in Azure is disabled by default. Even if the policy specifies 90 days, users can continue using their passwords after 90 days. This issue can be resolved by connecting to the Azure environment using PowerShell. Follow the steps below in sequence.
Run PowerShell as an administrator and enter the following commands to install the AzureAD modules.
Install-Module -Name AzureAD
Import Azure AD Module;
Import-Module AzureAD
2. Next, connect to AzureAD using the following command. The connection screen will prompt you for login credentials. Here, you need to enter either the Global Admin account information or an account that has been authorized on Azure to perform the desired operation.
Connect-AzureAD
3. You can retrieve all user information using the following command.
$users = Get-AzureADUser -All $true
4. Check the "password policy" field in the user profiles. It might contain the "DisablePasswordExpiration" expression. In this case, users can continue to log in even if their passwords have expired. We update this field using the following command and change it to "None."
foreach ($user in $users) {
# Kullanıcının ObjectId'sini alın
$userObjectId = $user.ObjectId
# Kullanıcının PasswordPolicies alanını kontrol edin
$userDetails = Get-AzureADUser -ObjectId $userObjectId
# Kullanıcı PasswordPolicies'de DisablePasswordExpiration varsa bunu değiştirin
if ($userDetails.PasswordPolicies -contains "DisablePasswordExpiration") {
# PasswordPolicies'yi güncelle
Set-AzureADUser -ObjectId $userObjectId -PasswordPolicies "None"
# Parola süresini 90 gün olarak ayarla
Set-MsolUser -UserPrincipalName $userDetails.UserPrincipalName -PasswordNeverExpires $false
# Kullanıcıya şifre sıfırlama zorunluluğu
Set-AzureADUserPassword -ObjectId $userObjectId -ForceChangePasswordNextLogin $true
}
}
After running the script, check the user profiles to ensure that the password policy field is changed to "None." Test within your organization to verify that users marked as "Never Expire" for their password status are not affected by this script and their passwords do not expire. If your service accounts are affected by this operation, it could cause issues. If necessary, create a group and apply these changes only to active users.
Comments