title | f1.keywords | ms.author | author | manager | ms.date | audience | ms.topic | ms.service | ms.localizationpriority | ms.collection | ms.custom | search.appverid | description | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Set an individual user's password to never expire |
|
kwekua |
kwekuako |
scotv |
09/30/2024 |
Admin |
article |
microsoft-365-business |
medium |
|
|
Sign in to your Microsoft 365 admin account to set some individual user passwords to never expire by using Microsoft Graph PowerShell. |
Check out all of our small business content on Small business help & learning.
This article explains how to set a password for an individual user to not expire. You have to complete these steps using PowerShell.
This article is for people who set password expiration policy for a business, school, or nonprofit. You must be a global admin or password administrator to perform these steps.
You can use the Microsoft cloud service Microsoft Graph Powershell to set passwords not to expire for specific users, remove the never-expire configuration or see which users' passwords are set to never expire.
This guide applies to other providers, such as Intune and Microsoft 365, which also rely on Microsoft Entra ID for identity and directory services. Password expiration is the only part of the policy that can be changed.
Use the Connect-MgGraph
command to sign in with the required scopes. You need to sign in with an admin account to consent to the required scopes.
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"
The command prompts you to go to a web page to sign in using a device code. Once you've done that, the command indicates success with a Welcome To Microsoft Graph!
message. You only need to sign in once per session.
Run one of the following commands:
-
To see if a single user's password is set to never expire, run the following cmdlet by using the UPN (for example, user@contoso.onmicrosoft.com) or the user ID of the user you want to check:
Get-MGuser -UserId <user id or UPN> -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
Example:
Get-MGuser -UserId userUPN@contoso.com -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
-
To see the Password never expires setting for all users, run the following cmdlet:
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
-
To get a report of all the users with PasswordNeverExpires in Html on the desktop of the current user with name ReportPasswordNeverExpires.html
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html
-
To get a report of all the users with PasswordNeverExpires in CSV on the desktop of the current user with name ReportPasswordNeverExpires.csv
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv
Run one of the following commands:
-
To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:
Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration
-
To set the passwords of all the users in an organization to never expire, run the following cmdlet:
Get-MGuser -All | Update-MgUser -PasswordPolicies DisablePasswordExpiration
Warning
User accounts configured with the -PasswordPolicies DisablePasswordExpiration
parameter still age based on the pwdLastSet
attribute. Based on the pwdLastSet
attribute, if you change the expiration to -PasswordPolicies None
, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.
Run one of the following commands:
-
To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:
Update-MgUser -UserId <user ID> -PasswordPolicies None
-
To set the passwords of all users in the organization so that they expire, use the following cmdlet:
Get-MGuser -All | Update-MgUser -PasswordPolicies None
Let users reset their own passwords (article)
Reset passwords (article)
Set the password expiration policy for your organization (article)