🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Audit Password Changes in Microsoft 365

Unauthorized password changes can compromise accounts and lead to data breaches in Microsoft 365. Therefore, it's essential to regularly audit password changes and resets. This guide will help you easily track password changes, audit resets, and monitor the last password change for each user, ensuring you meet security standards and reduce risks.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

View-Only Audit Logs Role

Most Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

  • Log in to the Microsoft Purview compliance portal.
  • Under the Solutions section, select Audit.
  • Select the date and time range.
  • Select the following operations from the Activities-friendly names drop-down and click Search.

    Reset user password, Changed user password, Set property that forces user to change password

  • Once the search is complete, you can export the password change and reset activity report.
Using Microsoft Purview Compliance Portal

Option 2 Using Microsoft Entra Admin Center

  • Sign in to the Microsoft Entra admin center.
  • To export all password resets and changes, navigate to Protection»Password reset»Activity»Audit logs.
Using Microsoft Entra Admin Center
Note: In the Entra admin center, you can audit data for a maximum period of 30 days.

Option 3 Using Windows PowerShell

  • Connect to the Exchange Online module using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to audit all password changes in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate <yyyy-mm-dd> -EndDate <yyyy-mm-dd> -Operations "Change user password", "Reset user password", "Set force change user password" -ResultSize 5000 | ForEach-Object { [PSCustomObject]@{ CreationDate = $_.CreationDate; Operations = $_.Operations; "Performed On" = ($_.AuditData | ConvertFrom-Json).ObjectId; "Initiated By" = $_.UserIds } } | Format-Table
Using Windows PowerShell
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Log in to the AdminDroid Office 365 reporter.
  • Navigate to the All Password Changes report under Audit»Azure AD»Password changes.
Using AdminDroid

Get a single report of all audit events related to Microsoft 365 password changes in your organization. This report includes the event time, status, and identify the performer of the operation and the account on which the operation is performed.

passwordchanges-graphical-view
  • Utilize AdminDroid's detailed graphical views to identify unusual password changing trends in M365. This helps you spot potential security issues early and take proactive measures to protect your organization.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Fortify Your Security by Auditing Password Changes in Microsoft 365!

Protect your M365 accounts from potential threats. Use AdminDroid to capture all password changes, gain insights into password change patterns, and safeguard against password spraying attacks.

Witness the report in action using the

Live Demo

Important Tips

Set password expiry notifications for M365 users in advance of the expiry date to ensure they update their passwords promptly and reduce the risk of forgotten password changes.

Frequently detect password spray attacks with Microsoft 365 Defender alerts and reset the password for the respective user to update it to a stronger one if any detections occur.

Ban custom banned password policies in Microsoft 365 to enhance password security and preventing users from using weak, commonly used, or easily guessable passwords.

Azure ADEnhance Protection with Effective Password Management in Microsoft 365!

Showing 1 of 4
How to find users who frequently change their passwords in M365? How to check a user's last password change date time in Microsoft 365? How to find the password expiration policy in Microsoft 365? How to find the password expiration date in M365?

How to find users who frequently change their passwords in M365?

Identifying frequent or abnormal password changes in Microsoft 365 is essential for detecting potential security threats, such as compromised accounts or unauthorized access attempts.

In Microsoft 365, there is no direct method to set alerts for password changes, so regular monitoring of logs is necessary to identify any unusual password reset activity. Consistent oversight helps detect abnormal patterns, such as frequent changes, that could signal security threats.

Get instant alerts and detailed reports with AdminDroid whenever password changes are made!

With AdminDroid's user password changes alert, you get real-time alerts for every password change event in your organization. This ensures immediate awareness of any unusual activity, enhancing overall security without the need for manual log analysis.

Highlights of AdminDroid's alert policies

  • Customizable thresholds: Set alerts based on specific criteria, such as multiple password changes within a short timeframe.
  • Flexible scoping: Scope lets you target alerts to specific departments, locations, or user groups, rather than covering the entire organization.
  • Preview & deploy: It allows you to check and review recent potential alerts before finalizing and deploying your alert policies.
alert-policy-password-changes

How to check a user's last password change date time in Microsoft 365?

Tracking the last password change helps you identify how often users update their passwords, ensuring adherence to company password policies and preventing the use of stale passwords that could lead to security breaches.

Get last password change date time using Powershell

You can use the Get-MgUser PowerShell cmdlet to retrieve the last password change date and time information. However, retrieving the last password change for multiple users, along with other password-related metrics, requires multiple filtering processes and complicates the process.

That's why our guide steps in to help you overcome these challenges and easily check last password change date and time in M365.

Here's a quick glimpse!

  • Microsoft Entra admin center: You’ll find a clear method to locate and filter the last password change time using the Microsoft Entra Admin Center.
  • PowerShell script: This script retrieves not only the last password change date and time but also details such as the date when the password was last set, password expiry date, and days to expiry.
  • AdminDroid Azure AD reporter: With AdminDroid's "Recently Password Changed Users" report, you can view the last password change date, password expiry status, and details of recently password changed users. You can export this data to a CSV file or any preferred format.

How to find the password expiration policy in Microsoft 365?

In Microsoft 365, the default password policy defines a secure password structure, including the password validity period (90 days), password expiration notification period (14 days), and the organization’s Microsoft 365 password policy settings.

However, admins can adjust these settings according to their organization’s needs. Therefore, it’s essential to know your organization's password expiration policy to ensure timely password updates and avoid disruptions to important systems.

  • In the Microsoft 365 admin center, navigate to Settings»Org Settings.
  • Click on Password expiration policy under the Security & privacy tab.
  • Here, you view the password expiration policy of your organization.
password-policy-check-admincenter

Note: The Microsoft admin center only provides the password expiration policy. For additional details, such as password expiration notifications and users with passwords that never expire, use the PowerShell cmdlets.

Get password expiration policy using PowerShell

Run the cmdlet below to examine your organization's password expiration policy and password expiry notification days.

Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -DomainID <Domain name> | select -Property Id, PasswordNotificationWindowInDays, PasswordValidityPeriodInDays
password-expiry-policy-domain

Use the following cmdlet to identify users users whose passwords are set to never expire.

Get-MgUser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{N="PasswordNeverExpires" E={$_.PasswordPolicies -contains 'DisablePasswordExpiration'}}
password_never_expire_user_powershell

Gain complete insights into your M365 password policies with AdminDroid report!

  • To get the password policies for all your domains in a single detailed report, use AdminDroid's Password Policy report.
  • This report shows details like password validity, how many users the policy applies to, how many bypass it, and the password expiration notification days for each domain.
password-policy-admindroid-report

How to find the password expiration date in M365?

By analyzing password expiry dates, you can notify users in advance to change their passwords, reducing the risk of forgotten password changes.

While the admin centers helps you retrieve the last password change date and your organization's password policy, manual calculations are necessary to determine the password expiry date. However, this can create discrepancies when some users have passwords set to never expire.

To overcome these limitations and discrepancies, our guide on how to get the password expiration date for every Microsoft 365 user stands out as a significant solution!

Here's a quick glimpse!

  • PowerShell script: In this section, a PowerShell script is provided to obtain the password expiry date, the last password change date and time, and the password expiry status for all M365 users as a CSV file.
  • AdminDroid Azure AD reporter: The "Users with Password Expiry" report shows the password expiration date, expiry status, and other password details for all Microsoft 365 users. The graphical view provides clear insights, making it easier to understand and manage password statuses.

AdminDroid Azure AD ReporterStrengthen M365 security with effective password change auditing!

Stay ahead in your security strategy by auditing password changes in Microsoft 365 using AdminDroid’s Azure AD management tool. Get a detailed record of all password changes to spot irregularities or potential threats with the help of comprehensive audit reports.

A Quick Summary

User-Friendly Interactive Password Dashboard

AdminDroid offers complete Microsoft 365 password stats that includes never expired accounts, expired passwords, and password change patterns for better oversight.

Export Password Change Reports in Various Formats

Export the report of all password changes data in PDF, CSV, HTML, XLS, XLSX, and RAW formats for seamless integration and in-depth analysis.

Automate the Monitoring of Password Expiration

Use the scheduling feature to receive reports on upcoming password expirations at specific intervals, ensuring timely resets and preventing workflow disruptions.

Find Users Who Never Changed Password

Analyzing the Password Never Changed report helps identify users with stale passwords and enforce password resets to prevent potential attacks.

Spot Unauthorized Logins with Expired Passwords

Use the advanced alerting feature to create a policy that notifies you when a user tries to log in with an expired password in an M365 account. This helps to detect unauthorized or unusual login attempts.

Delegate Password Report Monitoring to Users

AdminDroid allows you to delegate password reports to specific Microsoft 365 users, enabling them to track M365 password changes, enhancing oversight and security compliance.

With AdminDroid's Azure AD password reports, you can gain detailed insights into password changes within your organization, enhancing your ability to maintain a secure environment. Additionally, it helps you obtain:

  • Detailed password expiration dates for all Microsoft 365 users.
  • Alerts for unusual password activities and export the reports in various formats.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps While Auditing Password Changes in Microsoft 365

Below are some potential errors and troubleshooting tips you might encounter when dealing with password changes and resets.

Error: System.ArgumentException|Audit log search argument start date should be after 9/6/2014 5:13:22 AM.

This error occurs when the start date specified in the 'Search-UnifiedAuditLog' cmdlet is earlier than the minimum allowable date for audit log searches.

Troubleshooting hint :Adjust the StartDate parameter to be within limit based on the purchased subscription.

Error: Get-MgDomain : Authentication needed. Please call Connect-MgGraph.

The error occurs when you try to use the 'Get-MgDomain' cmdlet without authenticating and providing the required scope.

Troubleshooting hint :Authenticate with the required scope by running the 'Connect-MgGraph' cmdlet. 

Connect-MgGraph -Scopes 'Domain.Read.All'

Error: You can’t reset your own password because the password reset isn’t properly set up for your organization.

This error occurs when you attempt to reset the password while the self-service password reset is disabled in your organization.

Troubleshooting hint :You must contact your administrator to reset your password and check your organization’s setup.

Error: You cannot access controls on this page. If you should have permissions to view and use this page, contact your administrator.

This error occurs when users with insufficient permissions try to access audit logs in the Microsoft Purview portal.

Troubleshooting hint :To resolve the issue, ensure that the user account has the necessary permissions to access the page.