SOLVED

set password expiry in O365

Brass Contributor

can i set password expiry for certain select group of users to get them to change their password regularly ?

currently, the system policy is set to 180 days expiry date.

but we noticed that some users did not changed their O365 account password.

 

9 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

If you set password expiry in O365, it will apply to all users. What you need to do to exempt is to set individual users password to never expire. You can do this via Powershell: https://support.office.com/en-us/article/Set-an-individual-user-s-password-to-never-expire-f493e3af-...

 

Also, you can set all users first to never expire,

Get-MSOLUser | Set-MSOLUser -PasswordNeverExpires $true

then change individually selected users to password that expires.

Set-MSOLUser -UserPrincipalName <alias> -PasswordNeverExpires $false

 

Agree...PS is the answer here!
Is possible to set password expired and not PasswordNeverExpires for single user?

You can set the password to never expire for a single user using the following PowerShell command:

Set-MsolUser -UserPrincipalName <your user> -PasswordNeverExpires $true

To force a single user to change the password during the next login, use the following command:

Set-MsolUserPassword -UserPrincipalName <your user> -ForceChangePassword $true

Please note that these commands only affects the users whose passwords are in the cloud. I.e. you are not using password hash sync, federated identity, passthru authentication, etc.  

Ok, thank you very much. 

I have a hybrid configuration in the company. Users on premise with ADSync synchronization in Office 365 and users who only have cloud mail in O365.
I need to set the GPOs for password expiration in active directory and also expire users who are on the cloud. By setting the password expiration on the cloud, do I conflict that the gpo I have set in active directory?
I understand that cloud users take the password expiration rule from Office 365, in the security and privacy section, while an on-premise user who has the GPOs in AD set, also acquires the password expiration rules that are in O365?

 

Do you have also the password sync enabled? If so, all password policies are managed in on-prem AD and O365 expiration rules etc. do not apply for synced users.

Yes, I have password Sync enabled. 

Thank you very much

 

hi, I tested a user in active directory on premise. I set the mandatory password change at the next user login, with powershell on O365. Then I tried to log in to O365 and rightly asked me to change my password. Then I synchronized the password between AD and O365 (my synchronization works only from AD to O365) I would have expected to access O365 with the password of the user set in AD instead it is not. To log in I must use the previous password reset with the Powershell command on O365. In active directory instead I log in with the old password. Is it right that it works like this or is there some configuration error?

Hey Christian,

 

It sounds like you set the user account to expire in o365, then changed the password in o365 and you don't have Password Writeback enabled on your domain (You require at least an Azure AD P1 license for this and it enabled in Azure Connect on your DC).

 

You need to be changing your account password on-prem and let that password sync to o365.

To change on-prem, log onto a computer and hit ALT+CTRL+DEL then click CHANGE PASSWORD. Wait 5 minutes then try log onto o365 with your new password.

 

If you purchase an o365 license with Azure AD P1 license and enable Password Write back in Azure Connect then you can force password changes in Azure like you did and that should work.

 

Note that you, as an Admin, changing a users password in the Office Portal, or changing the password via o365/azure powershell will NEVER write the password back to your onPrem network.

You can only set the mandatory password change flag in the cloud via the Office Portal, or via o365/azure powershell and get the user to change their own password at next login, using the Change Password link on any o365 site/application or via the SSPR (Self Service Password Reset) site. Only the last 3 methods will write the password back to the OnPrem AD server.

 

(Current as of OCTOBER 2018)

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

If you set password expiry in O365, it will apply to all users. What you need to do to exempt is to set individual users password to never expire. You can do this via Powershell: https://support.office.com/en-us/article/Set-an-individual-user-s-password-to-never-expire-f493e3af-...

 

Also, you can set all users first to never expire,

Get-MSOLUser | Set-MSOLUser -PasswordNeverExpires $true

then change individually selected users to password that expires.

Set-MSOLUser -UserPrincipalName <alias> -PasswordNeverExpires $false

 

View solution in original post