Changing user passwords and expiry in Azure AD



We've now had users created for a while in Azure AD - and here I'm talking about users that have been created directly in Azure AD - not anything that has been replicated from some 'normal' AD on prem.

What we've discovered (surprisingly....) is that the passwords on these accounts expire and have to be changed (after we think 90 days by default - but not 100% sure on that).

This is an issue for some of them as they are 'service accounts' - i.e. not used by end users but by application services and interfaces. In a lot of cases we want these passwords to not be changing as its much easier to manage rather than having to plan and reconfigure application config every couple of months.

Not strangely the portal offers no facility to either reset a password to the same value or to set a password that doesn't expire - even as a global domain admin this functionality is not there in the GUI. I suspect that maybe as Azure AD evolves tis kind of stuff may be added but as of now it's not there.

So to make these kind of changes you have to use powershell (and actually I think powershell is currently the only option for this)

Show me the script I hear you ask as if you found this page that's likely all your really interested in - well here you go

Install-Module -Name Msonline

Connect-MsolService
Set-MsolUserPassword -UserPrincipalName linuxtest@yourdomain.onmicrosoft.com -ForceChangePassword $true -NewPassword passwordhere
Get-MsolUser -UserPrincipalName
linuxtest@yourdomain.onmicrosoft.com -TenantId xxxx-xxxx-xxxx|Set-MsolUser -PasswordNeverExpires $true
Get-MsolUser -UserPrincipalName
linuxtest@yourdomain.onmicrosoft.com -TenantId xxxx-xxxx-xxxx| Select PasswordNeverExpires

Now to expand a bit more for the people who may be interested in more details of the steps

Now in my case I was using powershell v5 - I would recommend going to that version if you didn't already as a lot of azure related stuff seems very sensitive to powershell versions (and indeed azure add on module versions)

Assuming you have powershell 5 and have hooked everything up you'll be able to install the msonline set of cmdlets to make the changes possible - that's this line

Install-Module -Name Msonline

Once installed you can then connect to azure (where you'll be prompted via a gui window to login)

Connect-MsolService

Once logged in you can use this code to choose a new password (here for the linuxtest user)

Set-MsolUserPassword -UserPrincipalName linuxtest@yourdomain.onmicrosoft.com -ForceChangePassword $true -NewPassword passwordhere

The next line sets the password to never expire

Get-MsolUser -UserPrincipalName linuxtest@yourdomain.onmicrosoft.com -TenantId xxxx-xxxx-xxxx|Set-MsolUser -PasswordNeverExpires $true


And finally just to confirm that the last thing did set - you can select back the status of the password expiry

Get-MsolUser -UserPrincipalName linuxtest@yourdomain.onmicrosoft.com -TenantId xxxx-xxxx-xxxx| Select PasswordNeverExpires

This is easy when you know how - but it took me a while to build this as I couldn't just find a simple example of this.

Note that in most simple cases you'll only have one tenanted and this property can actually be removed and does not have to be passed - its just in our case we have more than one and the default one was not the one I needed to work on.

Hopefully the GUI is improved soon - and hopefully domain services gets moved to ARM soon too as that is a real pain and the only part we haven't got in the new portal.

0 comments:

Post a Comment