Sep 17 2017 11:47 PM
can i set password expiry for certain select group of users to get them to change their password regularly ?
currently, the system policy is set to 180 days expiry date.
but we noticed that some users did not changed their O365 account password.
Sep 18 2017 12:19 AM - edited Sep 18 2017 12:28 AM
SolutionIf you set password expiry in O365, it will apply to all users. What you need to do to exempt is to set individual users password to never expire. You can do this via Powershell: https://support.office.com/en-us/article/Set-an-individual-user-s-password-to-never-expire-f493e3af-...
Also, you can set all users first to never expire,
Get-MSOLUser | Set-MSOLUser -PasswordNeverExpires $true
then change individually selected users to password that expires.
Set-MSOLUser -UserPrincipalName <alias> -PasswordNeverExpires $false
Jul 13 2018 07:34 AM
Jul 15 2018 11:55 PM
You can set the password to never expire for a single user using the following PowerShell command:
Set-MsolUser -UserPrincipalName <your user> -PasswordNeverExpires $true
To force a single user to change the password during the next login, use the following command:
Set-MsolUserPassword -UserPrincipalName <your user> -ForceChangePassword $true
Please note that these commands only affects the users whose passwords are in the cloud. I.e. you are not using password hash sync, federated identity, passthru authentication, etc.
Jul 16 2018 01:29 AM
Ok, thank you very much.
I have a hybrid configuration in the company. Users on premise with ADSync synchronization in Office 365 and users who only have cloud mail in O365.
I need to set the GPOs for password expiration in active directory and also expire users who are on the cloud. By setting the password expiration on the cloud, do I conflict that the gpo I have set in active directory?
I understand that cloud users take the password expiration rule from Office 365, in the security and privacy section, while an on-premise user who has the GPOs in AD set, also acquires the password expiration rules that are in O365?
Jul 16 2018 02:01 AM
Do you have also the password sync enabled? If so, all password policies are managed in on-prem AD and O365 expiration rules etc. do not apply for synced users.
Jul 16 2018 02:23 AM
Yes, I have password Sync enabled.
Thank you very much
Sep 18 2018 01:20 AM
Oct 10 2018 07:37 PM - edited Oct 10 2018 07:39 PM
Hey Christian,
It sounds like you set the user account to expire in o365, then changed the password in o365 and you don't have Password Writeback enabled on your domain (You require at least an Azure AD P1 license for this and it enabled in Azure Connect on your DC).
You need to be changing your account password on-prem and let that password sync to o365.
To change on-prem, log onto a computer and hit ALT+CTRL+DEL then click CHANGE PASSWORD. Wait 5 minutes then try log onto o365 with your new password.
If you purchase an o365 license with Azure AD P1 license and enable Password Write back in Azure Connect then you can force password changes in Azure like you did and that should work.
Note that you, as an Admin, changing a users password in the Office Portal, or changing the password via o365/azure powershell will NEVER write the password back to your onPrem network.
You can only set the mandatory password change flag in the cloud via the Office Portal, or via o365/azure powershell and get the user to change their own password at next login, using the Change Password link on any o365 site/application or via the SSPR (Self Service Password Reset) site. Only the last 3 methods will write the password back to the OnPrem AD server.
(Current as of OCTOBER 2018)
Sep 18 2017 12:19 AM - edited Sep 18 2017 12:28 AM
SolutionIf you set password expiry in O365, it will apply to all users. What you need to do to exempt is to set individual users password to never expire. You can do this via Powershell: https://support.office.com/en-us/article/Set-an-individual-user-s-password-to-never-expire-f493e3af-...
Also, you can set all users first to never expire,
Get-MSOLUser | Set-MSOLUser -PasswordNeverExpires $true
then change individually selected users to password that expires.
Set-MSOLUser -UserPrincipalName <alias> -PasswordNeverExpires $false