Forum Discussion
Secure Store Password Policy - getting the details
You can get the last password change timestamp via the MSOL/AzureAD powershell module. There are example scripts available that compare that value to the password policy and can even generate notification. Here's one example: https://windowsserveressentials.com/2015/01/23/office-365-email-password-reminder/
Thanks Vasil, I'm aware and use that data but it is wrong!
Firstly, though we have mandatory password changes every 90d, currently out of 11,630 records, 13 (ignoring external and system entries) are marked with PasswordNeverExpires = True - this should never be the case and demonstrates that there is a problem in AAD.
Secondly, I have examples where the LastPasswordChangeTimestamp shows a date in April, the PasswordNeverExpires is False and the user is currently (e.g. today) using the system. So this user last changed their password 181 days ago according to the data. How could this be so? Something is dreadfully wrong here.
This is why I asked the question I did in the way that I did. The Secure Score report is reporting something that I am having difficulty with using the data provided to us - I want to know whether Secure Score is using the same data and therefore likely to have the same failings - or whether it has access to other information.
For interest, we now have an open Premier Support call related to this issue.
We have established that some users are definately NOT being prompted for password resets on the required schedule.
