It's important to add the organization's contact information to the Microsoft 365 help pane. This…
Export Microsoft 365 users password report
You can check the password expiration policy for your entire organization in the Microsoft 365 admin center. It does not show a list of all the individual users. To get detailed password information for each Microsoft 365 user, you need to run a PowerShell script. In this article, you will learn how to export Microsoft 365 users password report to a CSV file.
Table of contents
- Information export Microsoft 365 users password PowerShell script
- Export Microsoft 365 users to CSV with PowerShell
- 1. Install Microsoft Graph PowerShell
- 2. Connect to Microsoft Graph PowerShell
- 3. Download Export-M365PasswordReport PowerShell script
- 4. Run Export-M365PasswordReport PowerShell script
- 5. Out-GridView Microsoft 365 users password expiry report
- 6. Open Microsoft 365 users password expiry report CSV file in Excel
- Conclusion
Information export Microsoft 365 users password PowerShell script
If your organization has not set a password expiration policy, Microsoft recommends setting the passwords to never expire. When the entire organization has a password expiration policy, there could still be individual Microsoft 365 users with another policy. That’s where the PowerShell script comes to the rescue.
This script will run and gather the following information per user:
- ID
- User principal name
- Display name
- Password policies
- Last password change date time
- Created date time
- Domain
- Max password age
- Password age
- Expires on
- Days remaining
We will show you how to get these results in the next steps.
Export Microsoft 365 users to CSV with PowerShell
Let’s go through the steps and export Microsoft 365 users password report to a CSV file with PowerShell.
1. Install Microsoft Graph PowerShell
Before you run the Export-M365PasswordReport.ps1 PowerShell script, you need to install the Microsoft Graph PowerShell module.
Run the below command to install the Microsoft Graph module.
Install-Module Microsoft.Graph -Force
2. Connect to Microsoft Graph PowerShell
You need to connect to MS Graph with the below scopes.
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
- Sign in with your admin credentials
- Enable consent on behalf of your organization
- Click Accept
3. Download Export-M365PasswordReport PowerShell script
To download the Export-M365PasswordReport PowerShell script, follow these steps:
- Download the Export-M365PasswordReport.ps1 PowerShell script
- Or copy the below script into Notepad and save it as Export-M365PasswordReport.ps1 file
<#
.SYNOPSIS
.\Export-M365UsersPassword.ps1
.DESCRIPTION
Connect to Microsoft Graph PowerShell first.
The script exports the passwords report for all Microsoft 365 users to a CSV file.
.LINK
Export Microsoft 365 users password report
.NOTES
Written By: o365info
Website: o365info.com
.CHANGELOG
V1.00, 10/26/2023 - Initial version
#>
# Get all domain password expiration policies
$domains = Get-MgDomain | Select-Object Id, PasswordValidityPeriodInDays
$domains | ForEach-Object { if (!$_.PasswordValidityPeriodInDays) { $_.PasswordValidityPeriodInDays = 90 } }
# Get user information
$properties = "Id", "UserPrincipalName", "mail", "displayName", "PasswordPolicies", "LastPasswordChangeDateTime", "CreatedDateTime"
$users = Get-MgUser -Filter "userType eq 'member' and accountEnabled eq true" `
-Property $properties -CountVariable userCount `
-ConsistencyLevel Eventual -All -Verbose | `
Select-Object $properties | Where-Object {
"$(($_.userPrincipalName).Split('@')[1])" -in $($domains.id)
}
# Add properties to the $users objects
$users | Add-Member -MemberType NoteProperty -Name Domain -Value $null
$users | Add-Member -MemberType NoteProperty -Name MaxPasswordAge -Value 0
$users | Add-Member -MemberType NoteProperty -Name PasswordAge -Value 0
$users | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value (Get-Date '1970-01-01')
$users | Add-Member -MemberType NoteProperty -Name DaysRemaining -Value 0
# Get the current datetime for calculation
$timeNow = Get-Date
foreach ($user in $users) {
# Get the user's domain
$userDomain = ($user.userPrincipalName).Split('@')[1]
# Check if the user has "disablepasswordexpiration" set
if ($user.PasswordPolicies -contains "DisablePasswordExpiration") {
# Set values to indicate that the password does not expire for this user
$passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
$user.MaxPasswordAge = "Password does not expire"
$user.PasswordAge = $passwordAge
$user.ExpiresOn = "N/A"
$user.DaysRemaining = "N/A"
}
else {
# Get the maximum password age based on the domain password policy
$maxPasswordAge = ($domains | Where-Object { $_.id -eq $userDomain }).PasswordValidityPeriodInDays
# Check if MaxPasswordAge is 2147483647
if ($maxPasswordAge -eq 2147483647) {
$passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
$user.MaxPasswordAge = "Password does not expire"
$user.PasswordAge = $passwordAge
$user.ExpiresOn = "N/A"
$user.DaysRemaining = "N/A"
}
else {
$passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
$expiresOn = (Get-Date $user.LastPasswordChangeDateTime).AddDays($maxPasswordAge)
$user.PasswordAge = $passwordAge
$user.ExpiresOn = $expiresOn
$user.DaysRemaining = $(
# If the remaining days is negative, show "Expired" instead
if (($daysRemaining = (New-TimeSpan -Start $timeNow -End $expiresOn).Days) -le 0) { "Expired" }
else { $daysRemaining }
)
$user.MaxPasswordAge = $maxPasswordAge
}
}
$user.Domain = $userDomain
}
# Display the results in Out-GridView
$users | Out-GridView
# Export the results to CSV file
$users | Export-Csv -Path "C:\temp\M365UsersPassword.csv" -NoTypeInformation -Encoding UTF8
- Create the folders scripts and temp in your (C:) drive if you don’t have them already
- Save the Export-M365PasswordReport.ps1 PowerShell script in the C:\scripts folder
Open the file to check if it is unblocked to prevent errors when running the script.
4. Run Export-M365PasswordReport PowerShell script
Run PowerShell as administrator and run the Export-M365PasswordReport.ps1 PowerShell script.
C:\scripts\.\Export-M365PasswordReport.ps1
The PowerShell script starts scanning all the Microsoft 365 users in the organization. It may take a few minutes if you have many users.
5. Out-GridView Microsoft 365 users password expiry report
The script will show the list of Microsoft 365 users password information in a grid view window.
The Out-GridView appears after the script finishes. It shows which password policy (None, empty, DisableStrongPassword, or DisablePasswordExpiration) each Microsoft 365 user has.
6. Open Microsoft 365 users password expiry report CSV file in Excel
You will find the M365UsersPassword.csv file in the C:\temp folder.
Open the CSV file with an application like Microsoft Excel to see the results.
That’s it.
Note: Now that you have a Microsoft 365 users password report, you can Manage Microsoft 365 users password.
Read more: Export Microsoft 365 mailbox size report with PowerShell »
Conclusion
You learned how to export Microsoft 365 users password report to an Out-GridView and CSV file with PowerShell. The Export-M365PasswordReport.ps1 PowerShell script shows a detailed password report for each user. You will get a structured overview showing which password policy each user has and when the password expires.
Did you enjoy this article? You may also like Export Microsoft 365 users licenses. Don’t forget to follow us and share this article
Thanks for another great article and this has been added to my gowing list of Graph PS scripts. Also this works on a macos using powershell 7.3.