Azure AD Set Passwords to Not Expire

This blog post is more of a reminder for myself as much as anything. I had a need to mark some service accounts in Azure AD so that their passwords dont expire.

The aim was that we had a few service accounts used in a couple of places and we wanted to have a controlled process to change their passwords.

To do this we did the following:

  • Create a group to store associate all of the service accounts for our project for easy management
  • Add all of the service accounts to that group
  • Run a script which will check every member of the group and to change the password policy so the password doesnt expire

I had a look online and couldnt really find a resource showing how to do this which didnt use the old Office 365 mso powershell functionality so I thought id share this for anyone else who might find it useful.

Below is the script I used and usually run each time we might need a new service account where we want more granular control of the changing of passwords for service accounts.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

install-module azuread
get-module azuread

function ProcessUsers([string] $groupName)
    Write-Host 'Processing Users Function strted'
    $ServiceAccountsGroup = Get-AzureADGroup -SearchString $groupName -All $true
    Write-Host 'Group Found' $ServiceAccountsGroup.DisplayName
    Write-Host 'Group Found' $ServiceAccountsGroup.ObjectId

    $groupMembers = Get-AzureADGroupMember -ObjectId $ServiceAccountsGroup.ObjectId -All $true

    Foreach ($member in $groupMembers)
        Write-Host $member.DisplayName

        $user = Get-AzureADUser -ObjectId $member.ObjectId
        Write-Host 'Pre-update Password Policy: ' $user.PasswordPolicies
        Set-AzureADUser -ObjectId $user.ObjectId -PasswordPolicies DisablePasswordExpiration

        $user = Get-AzureADUser -ObjectId $member.ObjectId
        Write-Host 'Post-update Password Policy: ' $user.PasswordPolicies
        Write-Host 'AccountEnabled: ' $user.AccountEnabled

        Write-Host ''
        Write-Host ''

    Write-Host 'Processing Users Function Ended' 

$cred = Get-Credential
Connect-AzureAD -Credential $cred
ProcessUsers -groupName '<Group name goes here>'
Write-Host 'All Done'



Thanks for checking out my article.  If you liked it or found it useful that's really great.  Please feel free to say hi if you bump into me at any networking events and any likes, shares or feedback on the article are really appreciated.  If you really loved it you are also welcome to buy me a coffee using the button below.

All the best



Buy Me A Coffee

You May Also Like

About the Author: michaelstephensonuk