Password Expiration notification

Copper Contributor

I have a number of users who have recently transitioned to Azure joined devices and are authenticating directly through AAD, though their accounts were originated in On-prem AD. When their passwords expire, they aren't getting notification but finding out when certain on-prem services aren't connecting. We are using AD Sync and it's going both ways AAD to OP and OP to AAD .

 

I guess my question is 2 fold:

  • Is it possible that AD is still expiring the password and if not, where can I find where it is expiring?
  • Is there any way to turn on expiration notification for Azure AD users?

Thanks,

2 Replies
Hi @Bryan_George,

Passwords are so not 2022. You have just opened a can of worms :)
I would suggest you read the blog post that I have created in the past. Google the following "Comply your AD password expiration policy with Azure AD." That should help you.

I am not a fan of password expiration policies; I am more the type of administrator that prefers password-less authentication and sets the password expiration policy to "never."

By default, AAD uses a password expiration of 90-days. You can see the setting by browsing the admin center > settings > org settings > security & privacy > Password expiration policy.

There are enough online scripts that could help you send an e-mail to a user whose password expires. Hint; use the following Google search term: Password-Expiration-Notifications.ps1

Good luck, and If you have any other questions, shoot ;)

@BilalelHadd Many highly regulated environments have these types of requirements. PCI DSS, governance from government bodies, etc have these password requirements for expiration so these orgs are beholden to them.

 

Also as of note, most, if not all, of these scripts use send-mailmessage, which is deprecated and has no official replacement from MS, see below.

 

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?vi...

 

"The Send-MailMessage cmdlet is obsolete. This cmdlet does not guarantee secure connections to SMTP servers. While there is no immediate replacement available in PowerShell, we recommend you do not use Send-MailMessage. For more information, see Platform Compatibility note DE0005."

 

The only solution I have found so far that does not use send mail message in my light research is this blog: https://www.sharepointdiary.com/2023/04/microsoft-365-password-expiration-notification-email.html

It looks to use M365 and Microsoft Graph API to do this.