Export Microsoft 365 users password report

You can check the password expiration policy for your entire organization in the Microsoft 365 admin center. It does not show a list of all the individual users. To get detailed password information for each Microsoft 365 user, you need to run a PowerShell script. In this article, you will learn how to export Microsoft 365 users password report to a CSV file.

Information export Microsoft 365 users password PowerShell script

If your organization has not set a password expiration policy, Microsoft recommends setting the passwords to never expire. When the entire organization has a password expiration policy, there could still be individual Microsoft 365 users with another policy. That’s where the PowerShell script comes to the rescue.

This script will run and gather the following information per user:

1. ID
2. User principal name
3. Mail
4. Display name
5. Password policies
6. Last password change date time
7. Created date time
8. Domain
9. Max password age
10. Password age
11. Expires on
12. Days remaining

We will show you how to get these results in the next steps.

Export Microsoft 365 users to CSV with PowerShell

Let’s go through the steps and export Microsoft 365 users password report to a CSV file with PowerShell.

1. Install Microsoft Graph PowerShell

Before you run the Export-M365PasswordReport.ps1 PowerShell script, you need to install the Microsoft Graph PowerShell module.

Run the below command to install the Microsoft Graph module.

Install-Module Microsoft.Graph -Force

2. Connect to Microsoft Graph PowerShell

You need to connect to MS Graph with the below scopes.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"

1. Sign in with your admin credentials
2. Enable consent on behalf of your organization
3. Click Accept

3. Download Export-M365PasswordReport PowerShell script

To download the Export-M365PasswordReport PowerShell script, follow these steps:

1. Download the Export-M365PasswordReport.ps1 PowerShell script
2. Or copy the below script into Notepad and save it as Export-M365PasswordReport.ps1 file

<#
    .SYNOPSIS
    .\Export-M365UsersPassword.ps1

    .DESCRIPTION
    Connect to Microsoft Graph PowerShell first.
    The script exports the passwords report for all Microsoft 365 users to a CSV file.

    .LINK
    
Export Microsoft 365 users password report


    .NOTES
    Written By: o365info
    Website:    o365info.com

    .CHANGELOG
    V1.00, 10/26/2023 - Initial version
#>

# Get all domain password expiration policies
$domains = Get-MgDomain | Select-Object Id, PasswordValidityPeriodInDays
$domains | ForEach-Object { if (!$_.PasswordValidityPeriodInDays) { $_.PasswordValidityPeriodInDays = 90 } }

# Get user information 
$properties = "Id", "UserPrincipalName", "mail", "displayName", "PasswordPolicies", "LastPasswordChangeDateTime", "CreatedDateTime"
$users = Get-MgUser -Filter "userType eq 'member' and accountEnabled eq true" `
    -Property $properties -CountVariable userCount `
    -ConsistencyLevel Eventual -All -Verbose | `
    Select-Object $properties | Where-Object {
    "$(($_.userPrincipalName).Split('@')[1])" -in $($domains.id)
}

# Add properties to the $users objects
$users | Add-Member -MemberType NoteProperty -Name Domain -Value $null
$users | Add-Member -MemberType NoteProperty -Name MaxPasswordAge -Value 0
$users | Add-Member -MemberType NoteProperty -Name PasswordAge -Value 0
$users | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value (Get-Date '1970-01-01')
$users | Add-Member -MemberType NoteProperty -Name DaysRemaining -Value 0

# Get the current datetime for calculation
$timeNow = Get-Date

foreach ($user in $users) {
    # Get the user's domain
    $userDomain = ($user.userPrincipalName).Split('@')[1]

    # Check if the user has "disablepasswordexpiration" set
    if ($user.PasswordPolicies -contains "DisablePasswordExpiration") {
        # Set values to indicate that the password does not expire for this user
        $passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
        $user.MaxPasswordAge = "Password does not expire"
        $user.PasswordAge = $passwordAge
        $user.ExpiresOn = "N/A"
        $user.DaysRemaining = "N/A"
    }
    else {
        # Get the maximum password age based on the domain password policy
        $maxPasswordAge = ($domains | Where-Object { $_.id -eq $userDomain }).PasswordValidityPeriodInDays

        # Check if MaxPasswordAge is 2147483647
        if ($maxPasswordAge -eq 2147483647) {
            $passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
            $user.MaxPasswordAge = "Password does not expire"
            $user.PasswordAge = $passwordAge
            $user.ExpiresOn = "N/A"
            $user.DaysRemaining = "N/A"
        }
        else {
            $passwordAge = (New-TimeSpan -Start $user.LastPasswordChangeDateTime -End $timeNow).Days
            $expiresOn = (Get-Date $user.LastPasswordChangeDateTime).AddDays($maxPasswordAge)
            $user.PasswordAge = $passwordAge
            $user.ExpiresOn = $expiresOn
            $user.DaysRemaining = $(
                # If the remaining days is negative, show "Expired" instead
                if (($daysRemaining = (New-TimeSpan -Start $timeNow -End $expiresOn).Days) -le 0) { "Expired" }
                else { $daysRemaining }
            )
            $user.MaxPasswordAge = $maxPasswordAge
        }
    }

    $user.Domain = $userDomain
}

# Display the results in Out-GridView
$users | Out-GridView

# Export the results to CSV file
$users | Export-Csv -Path "C:\temp\M365UsersPassword.csv" -NoTypeInformation -Encoding UTF8

3. Create the folders scripts and temp in your (C:) drive if you don’t have them already
4. Save the Export-M365PasswordReport.ps1 PowerShell script in the C:\scripts folder

Open the file to check if it is unblocked to prevent errors when running the script.

4. Run Export-M365PasswordReport PowerShell script

Run PowerShell as administrator and run the Export-M365PasswordReport.ps1 PowerShell script.

C:\scripts\.\Export-M365PasswordReport.ps1

The PowerShell script starts scanning all the Microsoft 365 users in the organization. It may take a few minutes if you have many users.

5. Out-GridView Microsoft 365 users password expiry report

The script will show the list of Microsoft 365 users password information in a grid view window.

The Out-GridView appears after the script finishes. It shows which password policy (None, empty, DisableStrongPassword, or DisablePasswordExpiration) each Microsoft 365 user has.

6. Open Microsoft 365 users password expiry report CSV file in Excel

You will find the M365UsersPassword.csv file in the C:\temp folder.

Open the CSV file with an application like Microsoft Excel to see the results.

That’s it.

Read more: Export Microsoft 365 mailbox size report with PowerShell »

Conclusion

You learned how to export Microsoft 365 users password report to an Out-GridView and CSV file with PowerShell. The Export-M365PasswordReport.ps1 PowerShell script shows a detailed password report for each user. You will get a structured overview showing which password policy each user has and when the password expires.

Did you enjoy this article? You may also like Export Microsoft 365 users licenses. Don’t forget to follow us and share this article