Managing password expirations is crucial for maintaining the security of your Microsoft 365 environment. In this article, we'll provide a Graph PowerShell script to check for users with expired passwords, explain how the script works, explore ways to enhance it, discuss possible errors and their solutions, and wrap up with a conclusion.
Here's the Graph PowerShell script to identify users with expired passwords in Microsoft 365:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All"
# Get all users
$users = Get-MgUser -All -Property "DisplayName,UserPrincipalName,PasswordPolicies,AccountEnabled,SignInActivity"
# Filter users with expired passwords
$expiredPasswordUsers = $users | Where-Object { $_.SignInActivity.LastPasswordChangeDateTime -lt (Get-Date).AddDays(-90) }
# Display the users with expired passwords
$expiredPasswordUsers | Select-Object DisplayName, UserPrincipalName, AccountEnabled, @{Name="LastPasswordChange";Expression={$_.SignInActivity.LastPasswordChangeDateTime}}
# Disconnect from Microsoft Graph
Disconnect-MgGraphConnect-MgGraph cmdlet. The scope "User.Read.All" is required to read user information.Get-MgUser cmdlet retrieves all users in the tenant along with relevant properties such as DisplayName, UserPrincipalName, PasswordPolicies, AccountEnabled, and SignInActivity.Where-Object cmdlet to filter out users whose passwords have expired. This is determined by checking if the LastPasswordChangeDateTime is older than 90 days from the current date.Select-Object cmdlet.Disconnect-MgGraph cmdlet.Note:
Modify 90 days to suit your tenant's password expiration policy.The script can be further enhanced in several ways:
Here is an enhanced version of the script with customizable expiration period and basic error handling:
param (
[int]$ExpirationDays = 90
)
try {
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All"
# Get all users
$users = Get-MgUser -All -Property "DisplayName,UserPrincipalName,PasswordPolicies,AccountEnabled,SignInActivity"
# Filter users with expired passwords
$expiredPasswordUsers = $users | Where-Object { $_.SignInActivity.LastPasswordChangeDateTime -lt (Get-Date).AddDays(-$ExpirationDays) }
# Display the users with expired passwords
$expiredPasswordUsers | Select-Object DisplayName, UserPrincipalName, AccountEnabled, @{Name="LastPasswordChange";Expression={$_.SignInActivity.LastPasswordChangeDateTime}}
}
catch {
Write-Error "An error occurred: $_"
}
finally {
# Disconnect from Microsoft Graph
Disconnect-MgGraph
}Error: Connect-MgGraph : A positional parameter cannot be found that accepts argument 'User.Read.All'.
Solution: Ensure you have the Microsoft.Graph module installed and updated. You can install or update it using:
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Update-Module Microsoft.GraphError: Get-MgUser : Insufficient privileges to complete the operation.
Solution: Make sure your account has the necessary permissions to read user information. You may need to consent to the required permissions or contact your admin to grant the appropriate roles.
Error: An error occurred: <error message>
Solution: The script includes basic error handling using a try-catch-finally block. Ensure that the finally block correctly disconnects from Microsoft Graph even if an error occurs. Review the error message for specific details and troubleshoot accordingly.
Regularly checking for password expirations is a vital part of maintaining a secure Microsoft 365 environment. The provided Graph PowerShell script enables you to efficiently identify users with expired passwords. By enhancing the script with additional features such as customizable expiration periods, email notifications, and logging, you can make it even more powerful and user-friendly. Additionally, handling possible errors effectively ensures smooth script execution and minimizes disruptions.
© m365corner.com. All Rights Reserved. Design by HTML Codex