Get Azure Active Directory password expiry date in PowerShell

powershell azure active-directory azure-active-directory

21,164

Solution 1

You're looking for the LastPasswordChangeTimestamp attribute:

Get-MsolUser -UserPrincipalName 'Username' |Select LastPasswordChangeTimestamp

This only tells you when the password was last changed, not when it will expire, so grab the password validity from the Password Policy as well:

$PasswordPolicy = Get-MsolPasswordPolicy
$UserPrincipal  = Get-MsolUser -UserPrincipalName 'Username'

$PasswordExpirationDate = $UserPrincipal.LastPasswordChangeTimestamp.AddDays($PasswordPolicy.ValidityPeriod)

$PasswordExpirationDate should now have the timestamp for when the password expires

Solution 2

What Mathias R.Jessen said was correct.

But, you may get inaccurate data in some cases like When a tenant has multiple domains (Each domain can have different password policy), when 'Password never expires' set for individual users and if 'password never expires' set through Password policy.

Below code will help you to get the correct result.

$Domains=Get-MsolDomain   #-Status Verified 
foreach($Domain in $Domains) 
{  
  $PwdValidity=(Get-MsolPasswordPolicy -DomainName $Domain).ValidityPeriod 
  $PwdPolicy.Add($Domain.name,$PwdValidity) 
}  
Get-MsolUser -All | foreach{ 
 $UPN=$_.UserPrincipalName 
 $PwdLastChange=$_.LastPasswordChangeTimestamp 
 $UserDomain= $UPN -Split "@" | Select-Object -Last 1  
 $PwdValidityPeriod=$PwdPolicy[$UserDomain] 
}

You can download the script from Microsoft's technet gallery: https://gallery.technet.microsoft.com/Export-Office-365-Users-91b4fc50

21,164

Author by

Mandar Jogalekar

Interested in Microsoft Azure, .Net and lately in performance tuning of sql ..

Updated on July 09, 2022

Comments

Mandar Jogalekar almost 2 years
I am working with Azure Active Directory and want to know when a user's password expires.

Currently I use these PowerShell commands to connect to msol service successfully and get password expiry, but I'm not quite sure how to get password expiry date.

I am using Azure Active Directory PowerShell module.
```
Connect-MsolService
    Get-MsolUser -UserPrincipalName 'Username' | Select PasswordNeverExpires
```
Mandar Jogalekar about 7 years

looking for, when current password expires attribute.
Mathias R. Jessen about 7 years

@MandarJogalekar No such attribute exists, you'll have to calculate it. Answer updated
Mandar Jogalekar about 7 years

only one change to the answer $UserPrincipal.LastPasswordChangeTimestamp.AddDays($Password‌Policy.ValidityPerio‌d)
Mathias R. Jessen about 7 years

@MandarJogalekar My apologies, I thought the ValidatyPeriod property was a TimeSpan. I've updated the answer
Mandar Jogalekar about 7 years

I noticed also that get-msolpasswordpolicy command does not work if user is not assigned global admin role .. it's not real to assign every user global admin .. any way around it?