How to Check Password Expiry Date in Microsoft 365

By default, passwords are set to never expire in all Microsoft 365 organizations. However, it is advisable to change passwords regularly to bypass account compromises.

If password expiration policy is configured with certain number of days, users' passwords will expire based on their individual last password change dates.

Also, admins must note that Microsoft Entra ID has default password policies to ensure strong and complex passwords, when users reset their passwords. Admins cannot modify these default policies. However, they can ban custom passwords in Microsoft 365 to restrict users from using common passwords like company name, branch name, department name, etc.

• This report provides password policies of multiple domains in your tenant with additional insights, including the number of policy-applied users, policy bypassed users, etc.
• By utilizing the Download button, admins can effortlessly export the report in their preferred format to their local system.

An expired password may lead to an account lockout in Microsoft 365, and you cannot access your account.

Note: Users can reset their own passwords using the above method only if your organization has enabled SSPR (Self Service Password Reset) for all users.

• Sign in to Microsoft Entra admin center with a global admin account.
• Navigate to 'Password Reset' under Protection.
• Enable SSPR for 'Selected groups or All users' based on your requirements.
• You can enable self-service password reset only for one Azure AD group in the Microsoft Entra admin portal.

Also, it is essential to monitor the user’s password changes to ensure only the required user’s password is modified, preventing any unusual password changes and detect password spray attacks in your organization.

• This report provides valuable details like password changed users and result status. It help the admins to ensure only necessary password changes occur within the organization.

With AdminDroid Advanced Alerting, you can configure a threshold limit for password change activities and receive real-time notifications whenever unusual user password modifications occur in the organization.

Setting up password expiration notifications in Microsoft 365 can prompt users to update their passwords before facing account lockouts.

Microsoft no longer supports password expiration notifications. Finding a workaround using the native solution is complicated and requires technical expertise. Also, it involves manual application addition, API permission assignment, certificate creation, client secret management, and script execution.

• Also, you can utilize AdminDroid's 'Soon To Password Expire Users' report that helps to find the list of all Microsoft 365 users whose passwords are about to expire soon.
• It helps admins to prioritize these users for timely password expiry notifications.

This report includes user’s details such as UPN, Office 365 password expiration date, password expiration duration, last password change date, user sign-in status, license status, etc.

Password expiration policy would be useful to improve the security of Microsoft 365 users’ accounts. However, organizations may need some crucial accounts with set passwords to never expire status.

You can set password to never expire in Microsoft 365 for single user using the below Graph PowerShell cmdlet:

Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All"

Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration

Also, it is equally important to monitor accounts with passwords set to never expire, ensuring the security of these crucial accounts.

You can get all the users with password set to never expire using the below PowerShell cmdlet:

Get-MgUser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{N="PasswordNeverExpires"; E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

However, Graph PowerShell methods require a technical understanding to get in-depth details of the users’ password expiry statuses and users with never expire passwords.

• This report provides extensive details like last password changed date, admin roles, user added time and helps you to ensure only required users are configured with password never expires.

PRO TIP: You can directly email any of the reports in the required format from the report page itself, by clicking the mail icon (✉).

Password expiry date in Microsoft 365 is not directly accessible since it depends on the number of days configured in the domain password policy. Also, the countdown to password expiration starts from the last time a user changed their password. Each user may have a different expiration date based on their individual password change history.

Therefore, to check the password expiration date in Office 365, manual calculation is required by comparing the days in the password expiration policy with the individual user's last password change date.

You can get password validity period of your organization’s password policy using the below PowerShell cmdlet.

Get-MgDomain -DomainID "<Domain name>" | select -Property Id, PasswordValidityPeriodInDays

You can find last password changed date in Office 365 using the Graph PowerShell cmdlet below.

Get-MgUser -All -Property DisplayName,lastPasswordChangeDateTime | select DisplayName,lastPasswordChangeDateTime

Additionally, you can check the leaked credential report in Microsoft Entra ID to validate the current security measures of user account passwords. It also helps you to identify and address any potential vulnerabilities or compromised credentials promptly.

This report includes other necessary details such as the user’s last password changed date, password expiry status, etc.

PRO TIP: You can sort the report data in ascending or descending order by simply clicking the column heading. Here, you can click on 'Password Expiry Date' to arrange the data in ascending order to identify the users with earliest password expiration date.