Get Azure Active Directory password expiry date in PowerShell
Solution 1
You're looking for the LastPasswordChangeTimestamp
attribute:
Get-MsolUser -UserPrincipalName 'Username' |Select LastPasswordChangeTimestamp
This only tells you when the password was last changed, not when it will expire, so grab the password validity from the Password Policy as well:
$PasswordPolicy = Get-MsolPasswordPolicy
$UserPrincipal = Get-MsolUser -UserPrincipalName 'Username'
$PasswordExpirationDate = $UserPrincipal.LastPasswordChangeTimestamp.AddDays($PasswordPolicy.ValidityPeriod)
$PasswordExpirationDate
should now have the timestamp for when the password expires
Solution 2
What Mathias R.Jessen said was correct.
But, you may get inaccurate data in some cases like When a tenant has multiple domains (Each domain can have different password policy), when 'Password never expires' set for individual users and if 'password never expires' set through Password policy.
Below code will help you to get the correct result.
$Domains=Get-MsolDomain #-Status Verified
foreach($Domain in $Domains)
{
$PwdValidity=(Get-MsolPasswordPolicy -DomainName $Domain).ValidityPeriod
$PwdPolicy.Add($Domain.name,$PwdValidity)
}
Get-MsolUser -All | foreach{
$UPN=$_.UserPrincipalName
$PwdLastChange=$_.LastPasswordChangeTimestamp
$UserDomain= $UPN -Split "@" | Select-Object -Last 1
$PwdValidityPeriod=$PwdPolicy[$UserDomain]
}
You can download the script from Microsoft's technet gallery: https://gallery.technet.microsoft.com/Export-Office-365-Users-91b4fc50
Mandar Jogalekar
Interested in Microsoft Azure, .Net and lately in performance tuning of sql ..
Updated on July 09, 2022Comments
-
Mandar Jogalekar almost 2 years
I am working with Azure Active Directory and want to know when a user's password expires.
Currently I use these PowerShell commands to connect to msol service successfully and get password expiry, but I'm not quite sure how to get password expiry date.
I am using Azure Active Directory PowerShell module.
Connect-MsolService Get-MsolUser -UserPrincipalName 'Username' | Select PasswordNeverExpires
-
Mandar Jogalekar about 7 yearslooking for, when current password expires attribute.
-
Mathias R. Jessen about 7 years@MandarJogalekar No such attribute exists, you'll have to calculate it. Answer updated
-
Mandar Jogalekar about 7 yearsonly one change to the answer $UserPrincipal.LastPasswordChangeTimestamp.AddDays($PasswordPolicy.ValidityPeriod)
-
Mathias R. Jessen about 7 years@MandarJogalekar My apologies, I thought the
ValidatyPeriod
property was aTimeSpan
. I've updated the answer -
Mandar Jogalekar about 7 yearsI noticed also that get-msolpasswordpolicy command does not work if user is not assigned global admin role .. it's not real to assign every user global admin .. any way around it?