top of page
uzunpath

How to Enable Password Expiry Policy for Azure AD Users

Updated: Jul 8


Mr. Azure


In hybrid environments managed with Active Directory, even if a password policy is specified on the Active Directory, users can access Azure resources and use all Microsoft accounts. This is because the password expiry feature in Azure is disabled by default. Even if the policy specifies 90 days, users can continue using their passwords after 90 days. This issue can be resolved by connecting to the Azure environment using PowerShell. Follow the steps below in sequence.



  1. Run PowerShell as an administrator and enter the following commands to install the AzureAD modules.

Install-Module -Name AzureAD


Import Azure AD Module;


Import-Module AzureAD


2. Next, connect to AzureAD using the following command. The connection screen will prompt you for login credentials. Here, you need to enter either the Global Admin account information or an account that has been authorized on Azure to perform the desired operation.


Connect-AzureAD


3. You can retrieve all user information using the following command.


$users = Get-AzureADUser -All $true


4. Check the "password policy" field in the user profiles. It might contain the "DisablePasswordExpiration" expression. In this case, users can continue to log in even if their passwords have expired. We update this field using the following command and change it to "None."


foreach ($user in $users) {

    # Kullanıcının ObjectId'sini alın

    $userObjectId = $user.ObjectId

    

    # Kullanıcının PasswordPolicies alanını kontrol edin

    $userDetails = Get-AzureADUser -ObjectId $userObjectId

    

    # Kullanıcı PasswordPolicies'de DisablePasswordExpiration varsa bunu değiştirin

    if ($userDetails.PasswordPolicies -contains "DisablePasswordExpiration") {

        # PasswordPolicies'yi güncelle

        Set-AzureADUser -ObjectId $userObjectId -PasswordPolicies "None"

        

        # Parola süresini 90 gün olarak ayarla

        Set-MsolUser -UserPrincipalName $userDetails.UserPrincipalName -PasswordNeverExpires $false

        

        # Kullanıcıya şifre sıfırlama zorunluluğu

        Set-AzureADUserPassword -ObjectId $userObjectId -ForceChangePasswordNextLogin $true

    }

}


After running the script, check the user profiles to ensure that the password policy field is changed to "None." Test within your organization to verify that users marked as "Never Expire" for their password status are not affected by this script and their passwords do not expire. If your service accounts are affected by this operation, it could cause issues. If necessary, create a group and apply these changes only to active users.

Recent Posts

See All

Comments


bottom of page