Password expiry notifications are vital to keep your Microsoft 365 accounts secure. Alerting users of soon-to-expire passwords is another way to reduce the number of account lockouts and promote strong, unique password creation. This article outlines how to create a Microsoft Graph PowerShell script that automatically sends out email warnings to users when their Office 365 passwords are about to expire.
A password expiry notification email is a message sent to a user when their password is about to expire. The email typically includes information about the expiration date and instructions on how to change the password. Password expiry notification emails are an essential tool for organizations that want to ensure that their users change their passwords regularly and keep their accounts secure.
As the Password expiration notifications are no longer supported in the Microsoft 365 admin center (Maybe because Microsoft recommends disabling password expiration!), we must implement a Windows PowerShell script-based solution. To create a Microsoft Graph PowerShell script for Office 365 password expiration notifications, follow these steps:
Pre-requisites: Install the Microsoft Graph PowerShell Module. You need the Microsoft Graph PowerShell module installed on your computer. Use: Install-Module Microsoft.Graph .
Use this PowerShell script to send out an Email reminder to all users whose password is expiring:
This script will prompt for login credentials and iterate through all users in your organization, calculate the password expiration date, and send an email notification to users whose passwords will expire within the specified threshold (7 days, in our case). You can modify the $NotificationThreshold variable to adjust the number of days before the password expires when notifications are sent.
Here is the script in action:
For an unattended automated scenario, follow these steps:
Create an app ID in Azure AD to connect with Microsoft Graph: How to Connect to the Microsoft Graph PowerShell module? Make sure you grant “User.Read.All” and “Mail.Send” permissions to the App ID.
Once ready with the App ID, update this PowerShell script’s parameters section. Here is how this script works:
This script could be a huge productivity saver. Without proper notifications, users may be caught off-guard when their passwords expire, leading to account lockouts and disruptions in productivity. These emails will notify users that their password is about to expire and that they should change it to avoid any disruption.
You can create an automated system for sending password expiration notification emails to your Office 365 users: Use Schedule the PowerShell Script using Windows Tasks Scheduler or Automate the PowerShell Execution with Azure Runbook.
By following our step-by-step instructions, you will be able to help users stay informed about their password expiration dates and maintain secure access to their Office 365 accounts.
Here are some best practices that organizations should follow when implementing password expiry notification emails:
By using the Microsoft Graph PowerShell script for O365 password expiration notifications, you can schedule reminders so that users change their passwords before they expire. This proactive approach keeps users in the loop about when their passwords expire, which will decrease account lockouts and maintain a more secure environment for your organization. This solution enhances your organization’s security and maintains smooth access to Office 365 resources, promoting safety for all users.
How to set the Office 365 account password to never expire?To set the password to never expire for Office 365 user accounts, You can use the Azure Active Directory PowerShell or Microsoft Graph API PowerShell cmdlets. You can also disable the password expiration for your organization through the password expiration policy in Office 365 Admin Center (Settings >> then click “Org settings” >> “Security & Privacy” >> Select Password Expiration Policy >> Check the box next to “Set user passwords to never expire”).
More info: Disable password expiration in Office 365
Password expiration notifications are no longer supported in Microsoft 365! So, you must setup your workaround to send users Password Expiration Emails.
What is the default password expiration time in Office 365?90 days from the last password change date (It’s disabled by default). However, Global Admin can configure the password expiry duration to meet the organization’s security requirements through the Office 365 Admin Center or PowerShell.
What happens when the O365 password expires?When an Office 365 current password expires, the user will be prompted to change it the next time they sign in. If the user ignores the prompt after the actual expiration date and does not change their password, they will be locked out of their account until they reset their password (and the technical support at admin level can unlock it). However, Microsoft Office applications like Outlook may continue to work until the password expires in the cache.
Is password expiration no longer recommended?Yes! Password expiration is no longer recommended as a security measure, as it does more harm than good. Changing passwords every 90 days could leave exposed weak/old passwords usable by hackers/scammers/cybercriminals for up to three months, and it is far better to require strong passwords and use multi-factor authentication.
