0

I have run the following cmdlet in PowerShell to disable the Password Expiration policy in my M365 tenancy for all users. However, the cmdlet is not applied to new users created. Can someone please explain how I can disable the policy for all current and new users?

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}

}

EDIT

I have unchecked the Set user passwords to expire after a number of days in the Password expiration policy page. I have run the following cmdlet to check this policy is turned off in PowerShell.

Get-MsolPasswordPolicy

enter image description here

I have run the following cmdlet to set a Password to Never Expire Policy for all users in the organisation. (Upon investiation, this policy only applies to current users, and will not apply to new users).

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Next I have checked the Set Password to Never Expire policy has been implemented successfully:

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
    N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
 }

enter image description here

I then created a new user in M365 and ran the same cmdlet again. I can now see that the new user does not have the Password to Never Expire Policy applied.

enter image description here

Is there a cmdlet to create a Password to Never Expire for all users (current and new users)? I don't want to create separate policies for different users, I want to apply the same policy to all. Please advise.

Holly S
  • 11
  • 2
  • ,Could you please give some insights about New Users, Are you trying to create new user post disabling `PasswordNeverExpires` to existing users or Are you create new user then you are trying to disable the 'PasswordNeverExpires' ? – VenkateshDodda Jan 05 '22 at 08:27

3 Answers3

0

If you want to remove password expiration for all users, you might consider changing password expiration policy for the entire organization.

To do so, uncheck Set user passwords to expire after a number of days in Password expiration policy page:

Changing password expiration policy

If you want to set password to never expire for a set of users, but not all, you'd have to schedule a script. The script should find new users and run the cmdlet you used against these new users.

In theory, you could also change password to never expire for all users. That'd require no changes to your script but might affect the performance. It's not recommended, but it might be suitable for smaller organizations.

Robert Dyjas
  • 4,979
  • 3
  • 19
  • 34
  • Thanks Robert, I've just updated my question with the full process I followed. Can you please read it and advise? – Holly S Jan 06 '22 at 03:12
  • @Holly S I don't have any way to test it, but I guess you don't need to worry about `PasswordNeverExpires` on user accounts if your org policy is set to 'password never expires'. The only case it might matter could be when password change is forced by risky sign-in/risky user detection - but that's only a guess as I don't know what would happen in such situation – Robert Dyjas Jan 07 '22 at 07:55
0

We have tested this in our local environment creating a new user & Using the above shared cmdlets, we are able to disable the Password Expiration policy for all the existing users & for the new users as well.

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration

Here are the sample output for reference:

  • Below screenshot, is showing the default PasswordNeverExpires for all the users.

enter image description here

  • We have created a new user, post running the above cmdlets we are able to change the PasswordNeverExpires value to True for all the users as shown in the below

enter image description here

enter image description here

Alternatively, you can use MSonline PowerShell module to enable PasswordNeverExpires value to True.

Here is the PowerShell cmdlets to change the value of PasswordNeverExpires value to True for all the users.

Connect-MsolService
$userlist = Get-MsolUser -All | select -Property UserPrincipalName,PasswordNeverExpires
foreach( $item in $userlist){
  Set-MsolUser -UserPrincipalName $item.UserPrincipalName -PasswordNeverExpires $true
}
Get-MsolUser -All| select -Property UserPrincipalName,PasswordNeverExpires

Here is the sample output for reference:

enter image description here

If you still faces the issue would suggest you to open a support ticket using this link where in technical support team would help you in troubleshooting the issue from platform end or open a discussion over Microsoft Q&A.

VenkateshDodda
  • 4,723
  • 1
  • 3
  • 12
  • Thank you VenkateshDodda-MT, I understand this process and have tested it myself successfully. However, my question is how can I create a custom policy that automatically applies to every new user? To be more specific, I want the PasswordNeverExpires policy to automatically apply each time a new user is created, instead of manually running the cmdlet. Is this possible? Thanks – Holly S Jan 10 '22 at 03:22
0

The below will set the default password policy to never expire for all current and future users.

$AllDomains = Get-MsolDomain

ForEach ($domain in $AllDomains){
Set-MsolPasswordPolicy -ValidityPeriod "2147483647" -NotificationDays 0 -DomainName $domain.name
}
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Glenn
  • 1
  • 1