Skip to content

Manage Microsoft 365 users password

Microsoft recommends to set the Microsoft 365 password expiration policy to never expire because password expiration requirements do more harm than good. When users get a message or notification to change their password, they add a number or symbol behind the existing password and set it as a new password. This is problematic. In this article, you will learn how to manage Microsoft 365 users password with Microsoft Graph PowerShell.

Password expiration policy

Microsoft 365 accounts have a pre-defined password policy that can’t be changed. Admins can make user passwords expire after a certain number of days (the default is 90 days) or set passwords to never expire. By default, passwords are set to never expire for your organization.

There are password guidelines for administrators to configure a secure password. To keep your organization as secure as possible, passwords should meet complexity requirements, such as minimum 8-character length, or they can’t be configured.

Setting a password policy for the users in your organization is important. You can always reset a user password or passwords in bulk.

We will show you how to manage users password in Microsoft 365 admin center and with Microsoft Graph PowerShell.

Note: We recommend to run the Export Microsoft 365 users password report and check the password details for every user before and after you apply any changes.

Connect to Microsoft Graph PowerShell

Before you start, you must Install Microsoft Graph PowerShell module, including the Microsoft Graph Beta module.

Run the below commands to install the Microsoft Graph module.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Then, Connect to Microsoft Graph PowerShell with the below permissions.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.ReadWrite.All", "Directory.AccessAsUser.All"

Now, you are all set to use the Microsoft Graph PowerShell commands.

1. Set password expiration policy to never expire for domain

We will set the password expiration policy to never expire for everyone in the organization with the following:

  • Microsoft 365 admin center
  • Microsoft Graph PowerShell

Set password expiration policy to never expire in Microsoft 365 admin center

To set passwords to never expire in the Microsoft 365 admin center, follow these steps:

  1. Sign in to the Microsoft 365 admin center
  2. Expand Settings and click Org settings
  3. Click the tab Security & privacy
  4. Choose Password expiration policy from the list
  5. Select the checkbox Set passwords to never expire (recommended)
  6. Click Save
Set Microsoft 365 password expiration policy to never expire

You have set the passwords to never expire for your organization in the Microsoft 365 admin center. Next, we will show you how to manage Microsoft 365 users password with PowerShell.

Set password expiration policy to never expire with PowerShell

You can set the password to never expire for the entire domain.

Run the below PowerShell command.

Update-MgDomain -DomainId "m365info.com" -PasswordValidityPeriodInDays "2147483647"

Note: It will set the passwords to never expire for the entire domain but not for individual users who have previously set passwords to expire. Remember that it will not overwrite these users.

2. Set password expiration policy to expire for domain

You can set password policy to expire for the entire domain with PowerShell. Once you set the password expiration policy for everyone in your organization, you can always change the settings. We will show you how to change the password expiration policy and set the following:

  • Password notification days
  • Password expiration days

Set password expiration policy to expire in Microsoft 365 admin center

To set passwords to expire in the Microsoft 365 admin center, follow these steps:

  1. Sign in to the Microsoft 365 admin center
  2. Expand Settings and click Org settings
  3. Click the tab Security & privacy
  4. Choose Password expiration policy from the list
  5. Clear the checkbox Set passwords to never expire (recommended)
  6. Type a number between 14 and 730 days
  7. Click Save
Set Microsoft 365 password expiration policy to expire

Set password to expire for Microsoft 365 domain

You can set the passwords to expire for the entire domain with PowerShell. We will add parameters that will also set the password notification days and validity period days.

If you already set the password policy to expire for your domain, you can change the password expiration days.

ParameterDescription
-PasswordNotificationWindowInDaysSpecifies the number of days before a user receives a notification that their password will expire. If the property is not set, a default value of 14 days will be used.
-PasswordValidityPeriodInDaysSpecifies the length of time that a password is valid before it must be changed. If the property is not set, a default value of 90 days will be used.

We will set the passwords to expire for the entire domain. The only difference is that it will not go through each user. So, if some users have already set the passwords to never expire, it will not change it for these users.

See the PowerShell command syntax.

Update-MgDomain -DomainId "Domain ID" -PasswordNotificationWindowInDays "Number Of Days" -PasswordValidityPeriodInDays "Number Of Days"

Run the below PowerShell command example.

Update-MgDomain -DomainId "m365info.com" -PasswordNotificationWindowInDays "30" -PasswordValidityPeriodInDays "180"

It will set the passwords to expire for the entire domain and set the password notification days (30) and validity days (180).

Note: It will set the passwords to expire for the entire domain, but if an individual user already has set the password to never expire, it will not overwrite this user.

3. Set passwords to never expire for users

We will show you how to set the password to never expire for:

  1. Single Microsoft 365 user with PowerShell
  2. Bulk all Microsoft 365 users with PowerShell

Set password to never expire for single Microsoft 365 user

We will set a password to never expire for a specific Microsoft 365 user, Brenda.Smith@m365info.com.

You can use the UserPrincipalName or User ID number.

See the below PowerShell command syntax.

Update-MgUser –UserId "UPN or User ID" -PasswordPolicies DisablePasswordExpiration

Run the PowerShell command example.

Update-MgUser –UserId "d912b0fc-6f7e-4ec2-a9e4-854ed27a511a" -PasswordPolicies DisablePasswordExpiration

It will set the password to never expire for a single user.

Bulk set passwords to never expire for all Microsoft 365 users

Bulk set passwords to never expire for all Microsoft 365 users. This is the default option, which is recommended by Microsoft.

Run the below PowerShell script.

# Fetch all Azure AD users
$users = Get-MgUser -All

foreach ($user in $users) {
    $UserId = $user.Id
    $DisplayName = $user.DisplayName

    Write-Progress -Activity "Setting password to never expire for $DisplayName" -Status "Processing $DisplayName"

    try {
        # Update user to enable password expiration
        Update-MgUser -UserId $UserId -PasswordPolicies DisablePasswordExpiration -ErrorAction Stop

        Write-Host "Password to never expire set for $DisplayName" -ForegroundColor Green
    }
    catch {
        Write-Host "Can't set password to never expire for $DisplayName" -ForegroundColor Red
    }
}

It will set passwords to never expire for all Microsoft 365 users in your organization.

4. Set passwords to expire for users

We will show you how to set passwords to expire for a single Microsoft 365 user and all Microsoft 365 users.

  1. Single Microsoft 365 user with PowerShell
  2. Bulk all Microsoft 365 users with PowerShell

Set password to expire for single Microsoft 365 user

We will set the password to expire for a specific Microsoft 365 user, Brenda.Smith@m365info.com.

You can use the UserPrincipalName or User ID number.

See the below PowerShell command syntax.

Update-MgUser –UserId "UPN or User ID" -PasswordPolicies None

Run the PowerShell command example.

Update-MgUser –UserId "d912b0fc-6f7e-4ec2-a9e4-854ed27a511a" -PasswordPolicies None

It will set the password to expire for a single user with the default value notification (14) days and expiration (90) days.

Bulk set passwords to expire for all Microsoft 365 users

We will bulk set passwords to expire for all Microsoft 365 users.

Run the below PowerShell script.

# Fetch all Azure AD users
$users = Get-MgUser -All

foreach ($user in $users) {
    $UserId = $user.Id
    $DisplayName = $user.DisplayName

    Write-Progress -Activity "Set password to expire for $DisplayName" -Status "Processing $DisplayName"

    try {
        # Update user to disable password expiration
        Update-MgUser -UserId $UserId -PasswordPolicies None -ErrorAction Stop

        Write-Host "Set password to expire set for $DisplayName" -ForegroundColor Green
    }
    catch {
        Write-Host "Can't set password to expire for $DisplayName" -ForegroundColor Red
    }
}

You set the passwords to expire for all Microsoft 365 users in your organization.

Note: It will set passwords to expire for each user in the organization, even if an individual user previously has set the password to never expire. Remember that it will overwrite all the users.

5. Set predefined password for users

We will show you how to set a predefined password for:

  • Single Microsoft 365 user
  • Bulk all Microsoft 365 users
  • Multiple Microsoft 365 users (CSV)

Create new Microsoft 365 user with predefined password

You can create a single new user and set a predefined password.

Provide the below information in the script to create a new user:

  1. Set the Password in line number 3
  2. Set the ForceChangePasswordNextSignIn to true or false in line number 4
  3. Set the ForceChangePasswordNextSignInWithMfa to true or false in line number 5
  4. Create DisplayName in line number 10
  5. Create MailNickName in line number 11
  6. Create UserPrincipalName in line number 12

Run the below PowerShell script.

# Create password profile
$PasswordProfile = @{
    Password                             = "xWwvJ]6NMw+bWH-d"
    ForceChangePasswordNextSignIn        = $true
    ForceChangePasswordNextSignInWithMfa = $true
}

# Create Azure AD user
$AzureUser = @{
    DisplayName       = "Carol Stark"
    MailNickName      = "Carol.Stark"
    UserPrincipalName = "Carol.Stark@m365info.com"
    PasswordProfile   = $PasswordProfile
    AccountEnabled    = $true
}

New-MgUser @AzureUser

It will create a new user with the above information you provided.

Set predefined password for single Microsoft 365 user

We want to set a predefined password for a single Microsoft 365 user. In our example, we will give the user Brenda.Smith@m365info.com a new password. The user should use the new predefined password to sign in.

Note: When you create a predefined password, it should meet complexity requirements, or it can’t be configured.

You can decide whether or not the user needs to change the password.

Note: Set the $ForceChangePasswordNextSignIn to true if you want the user to change the password on the next sign in. If you set the $ForceChangePasswordNextSignIn to false, the user doesn’t need to change the given password.

  1. Change the UserId in line number 1
  2. Set the ForceChangePasswordNextSignIn to true or false in line number 5
  3. Change the password in line number 6
  4. Run the below PowerShell script
$UserId = "Brenda.Smith@m365info.com"

$params = @{
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password                      = "c*$kJ4!Q2nsQPP"
    }
}

Update-MgUser -UserId $userId -BodyParameter $params

In our example, the user Brenda must use the predefined password but without changing the password on the next sign in.

Force change password for single Microsoft 365 user

You can also let the user change the password the next time they sign in without setting a predefined password. So, the user can type their current password, but they need to change it to a new password immediately.

Run the below script to force password change the next time the user signs in.

$userId = "Brenda.Smith@m365info.com"

$params = @{
	passwordProfile = @{
		forceChangePasswordNextSignIn = $true
	}
}

Update-MgUser -UserId $userId -BodyParameter $params

The next time Brenda signs in with the current password, the below window appears. The user is forced to change to a new password.

Force change password at next login

Bulk set predefined password for all Microsoft 365 users

We want to set a predefined password for all Microsoft 365 users. All the users will get the same predefined password and need to use the same new password to sign in.

Note: When you create a predefined password, it should meet complexity requirements, or it can’t be configured.

You can decide whether or not to force the user to change the password after the next sign in. If you set the $ForceChangePasswordNectSignIn to true, the user must change the predefined password.

  1. Change the password in line number 5
  2. Set $ForceChangePasswordNectSignIn to true or false
  3. Run the below PowerShell script
# Retrieve a list of all users
$allUsers = Get-MgUser -All

# Define the new password
$newPassword = "Welcome12!"

# Define force password change after sign in
$ForceChangePasswordNextSignIn = "true" #or "false"

# Loop through each user and update their password
foreach ($user in $allUsers) {
    $UserPrincipalName = $user.UserPrincipalName
    $DisplayName = $user.DisplayName

    try {
        Update-MgUser -UserId $UserPrincipalName `
            -PasswordProfile @{
            password                      = $newPassword;
            ForceChangePasswordNextSignIn = $ForceChangePasswordNextSignIn
        } -ErrorAction Stop

        Write-Host "Password updated for user: $userPrincipalName" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to update password for user: $DisplayName ($UserId)" $_.Exception.Message -ForegroundColor Red
    }
}

Set identical predefined password for Microsoft 365 users from CSV

You can set an identical predefined password for multiple Microsoft 365 users but from a CSV file. We will show you how to export a CSV file with all the users. Then, you can adjust the CSV file and only keep the users you want to set a predefined password.

Step 1: Export Microsoft 365 users account

See the below PowerShell command syntax.

Get-MgUser -All | Select UserPrincipalName | Export-Csv "path" -NoTypeInformation -Encoding UTF8

Run the PowerShell command example.

Get-MgUser -All | Select UserPrincipalName | Export-Csv "C:\temp\m365users.csv" -NoTypeInformation -Encoding UTF8

It will export the below CSV file example with the UserPrincipalName. You can adjust the CSV file and remove the users you don’t want to change their password.

Export all Microsoft 365 users with PowerShell csv

Step 2: Save the CSV file

Name the file m365users and save it as a CSV file in the temp folder if you don’t have it already in the (C:) drive.

To ensure PowerShell can read the file, run the Import-Csv cmdlet.

Import-Csv "C:\temp\m365users.csv"

Step 3: Set an identical predefined password in the script

You need to set an identical predefined password for all the users and specify whether you want them to change the password.

  1. Type the password in line number 8
  2. Set the ForceChangePasswordNextSignIn to true or false in line number 11

Run the below PowerShell script.

# Define the path to the CSV file
$csvFilePath = "C:\temp\m365users.csv"

# Load the CSV data into a variable
$csvData = Import-Csv -Path $csvFilePath

# Define the new password
$newPassword = "P@ss8739!7382!"

# Define force password change after sign in
$ForceChangePasswordNextSignIn = "true" #or "false"

# Loop through each user in the CSV data and update their password
foreach ($user in $csvData) {
    $userPrincipalName = $user.UserPrincipalName

    # Check if the user exists
    $existingUser = Get-MgUser -UserId $userPrincipalName -ErrorAction SilentlyContinue

    if ($existingUser -ne $null) {
        try {
            Update-MgUser -UserId $userPrincipalName `
                -PasswordProfile @{
                password                      = $newPassword;
                ForceChangePasswordNextSignIn = $ForceChangePasswordNextSignIn
            } -ErrorAction Stop

            Write-Host "Password updated for user: $userPrincipalName" -ForegroundColor Green
        }
        catch {
            Write-Host "Failed to update password for user: $userPrincipalName" $_.Exception.Message -ForegroundColor Red
        }
    }
    else {
        Write-Host "User not found: $userPrincipalName" -ForegroundColor Yellow
    }
}

Set predefined password for Microsoft 365 users from CSV

You can also set a predefined unique password for each Microsoft 365 user from a CSV file. It will change the password for these users with the unique password you chose.

Create a CSV file with a predefined password for each user:

  1. Open Microsoft Excel
  2. Type UserPrincipalName in the first column
  3. List the user principal names
  4. Type Password at the top of the second column
  5. List unique passwords
Set predefined password for Microsoft 365 users from CSV
  1. Name the file m365usersPass and save it as a CSV file
  2. Create a temp folder and save it in C:\temp
  3. To ensure PowerShell can read the file, run the Import-Csv cmdlet
Import-Csv "C:\temp\m365usersPass.csv"

Before you run the script, you need to specify whether you want the users to change the password at the next login.

  1. Set the ForceChangePasswordNextSignIn to true or false in line number 8

Run the below PowerShell script.

# Define the path to the CSV file
$csvFilePath = "C:\temp\m365usersPass.csv"

# Load the CSV data into a variable
$csvData = Import-Csv -Path $csvFilePath

# Define force password change after sign in
$ForceChangePasswordNextSignIn = "true" #or "false"

# Loop through each user in the CSV data and update their password
foreach ($user in $csvData) {
    $userPrincipalName = $user.UserPrincipalName
    $userPassword = $user.Password

    # Check if the user exists
    $existingUser = Get-MgUser -UserId $userPrincipalName -ErrorAction SilentlyContinue

    if ($existingUser -ne $null) {
        try {
            Update-MgUser -UserId $userPrincipalName `
                -PasswordProfile @{
                password                      = $userPassword;
                ForceChangePasswordNextSignIn = $ForceChangePasswordNextSignIn
            } -ErrorAction Stop

            Write-Host "Password updated for user: $userPrincipalName" -ForegroundColor Green
        }
        catch {
            Write-Host "Failed to update password for user: $userPrincipalName" $_.Exception.Message -ForegroundColor Red
        }
    }
    else {
        Write-Host "User not found: $userPrincipalName" -ForegroundColor Yellow
    }
}

6. Export password never expires for Microsoft 365 users

You can check if a password is set to never expire for the Microsoft 365 users in your organization. We will show you how to get password information for:

  • Single Microsoft 365 user
  • Bulk all Microsoft 365 users

Get password never expires for single Microsoft 365 user

First, we want to see if a password is set to never expire for a single Microsoft 365 user. We need to use the Get-MgUser cmdlet with the UserPrincipalName or user ID.

See the below PowerShell syntax example.

Get-MgUser -UserId "UPN or user ID" -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName, @{
    N = "PasswordNeverExpires";
    E = { $_.PasswordPolicies -contains "DisablePasswordExpiration" }
}

Run the PowerShell command example.

Get-MgUser -UserId "Brenda.Smith@m365info.com" -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName, @{
    N = "PasswordNeverExpires";
    E = { $_.PasswordPolicies -contains "DisablePasswordExpiration" }
}

See the below PowerShell output example.

UserPrincipalName         PasswordNeverExpires
-----------------         --------------------
Brenda.Smith@m365info.com                False

The above example shows that the password never expires is False (by default). It means that the user Brenda has a password that expires.

Get password never expires for bulk all Microsoft 365 users

Get the password never expires information for all the Microsoft 365 users in your organization.

Run the below PowerShell command.

Get-MgUser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName, @{
    N = "PasswordNeverExpires";
    E = { $_.PasswordPolicies -contains "DisablePasswordExpiration" }
}

See the below PowerShell output.

UserPrincipalName                 PasswordNeverExpires
-----------------                 --------------------
Adam.Mackay@m365info.com                         False
Adrian.Mackenzie@m365info.com                    False
Alan.MacLeod@m365info.com                        False
Alexander.Manning@m365info.com                   False
Amanda.Hansen@m365info.com                       False
Brenda.Smith@m365info.com                        False
Brian.Mill@m365info.com                          False
Cameron.Miller@m365info.com                      False
Carl.Mills@m365info.com                          False
Carol.Bover@m365info.com                         False
Caroline.Cameron@m365info.com                    False
Carolyn.Brown@m365info.com                       False
Chris.Lucas@m365info.com                         False
Diana.Baker@m365info.com                         False

Export password never expires report to CSV

You can also bulk all Microsoft 365 users password never expires settings to a CSV file.

Create a temp folder in the (C:) drive if you don’t have one.

Run the below PowerShell script.

Get-MgUser -All -Property UserPrincipalName, PasswordPolicies | 
Select-Object UserPrincipalName, @{ 
    N = "PasswordNeverExpires"; 
    E = { $_.'PasswordPolicies' -contains "DisablePasswordExpiration" } 
} | 
Export-Csv -Path "C:\temp\PasswordReport.csv" -NoTypeInformation -Encoding UTF8

It will export all the Microsoft 365 users password never expires settings. In our example, all the users have FALSE as a value, which means they don’t have the option Password never expires.

Microsoft 365 users passwords never expires report csv

Display information Microsoft 365 password policy

See the below PowerShell command syntax.

Get-MgDomain –DomainId "Domain Name" | Ft PasswordNotificationWindowInDays, PasswordValidityPeriodInDays

Run the PowerShell command example.

Get-MgDomain -DomainId "m365info.com" | Ft PasswordNotificationWindowInDays, PasswordValidityPeriodInDays

The PowerShell output shows the below result example.

PS C:\> Get-MgDomain –DomainId "m365info.com" | Ft PasswordNotificationWindowInDays, PasswordValidityPeriodInDays

PasswordNotificationWindowInDays PasswordValidityPeriodInDays
-------------------------------- ----------------------------
                              30                          180

You learned how to manage Microsoft 365 users password with MS Graph PowerShell.

Read more: Export all Microsoft 365 users MFA status report »

Conclusion

You learned how to manage Microsoft 365 users password with PowerShell. Microsoft recommends setting the password to never expire for the entire organization. With PowerShell there are more settings to configure for the password settings than in Microsoft 365 admin center.

Did you enjoy this article? You may also like Create unlimited Client Secret in Microsoft Entra ID. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 21 Comments

  1. So, depth.
    Awesome.
    Its help lots of me…Thank you so much for this nice article. I have saved the link.

  2. Hi o365info Team!
    What happens if “Set passwords to never expire” option is set it but there are users who have the PasswordNeverExpires parameter set to $False? What would the behavior be?

    1. When you set passwords to never expire in Microsoft admin center (for all the domains) or with the PowerShell command (single domain) it will NOT overwrite the users that are manually set.

      For example, if it’s set manually to “PasswordNeverExpires” = “False”, the value stays as “False”, and it will not overwrite to “True”.

      If you want to overwrite all the users, we recommend running the “Bulk set passwords to never expire” script. This will go through every user and set the PasswordNeverExpires value as “True”.

  3. Hi there.

    I want to be able to send an email to the user secondary email when I reset the password. Is there a way to do this via CSV?

  4. Hi Thanks alot, the information is very useful, but if you can help me in this, is there anyway to reset the last password changed date. as the problem is our passwords were not changed since more than 3 years, now i want to set a password expiration policy to 60 Days but as soon as i set it , the users gets blocked and they have to change immediately, i want to give them 15 days to change their passwords

  5. The level of information, layout and depth of knowledge you share so freely is truly amazing. It has helped me numerous times and saved hours of research.

  6. It’s difficult to find knowledgeable people in this particular subject, however, you sound like you know what you’re talking about! Thanks

  7. This is a fantastic article – again, much more thorough and easy to understand than any MS article anywhere.

  8. Hello. It worked like a charm 🙂 – I actually managed to build a complete set of scripts suited to my needs. I still think Microsoft did a stupid thing with management/administration part of the new Offic365 platform but, at least for the moment it works for me :(. I cannot understand how did they think to eliminate the automated mechanism for “lost password” but I keep saying sweet things to MS in my mind and wait for manual requests of lost passwords changes… and for a whole lot of more than 25000 users (out of witch of course there are plenty to forget the password) you can think about the time I spend thinking about MS :))).Anyway, thanks again to you – great job.

  9. Please tell me that youre heading to keep this up! Its so great and so important. I cant wait to read a lot more from you. I just feel like you know so substantially and know how to make people listen to what you might have to say. This blog is just too cool to become missed. Terrific stuff, genuinely. Please, PLEASE keep it up!

Leave a Reply

Your email address will not be published. Required fields are marked *