M365 Users Who Haven’t Changed Password in the Last 90 Days

Security is always a priority in any organization, and keeping track of users who haven’t updated their passwords is a crucial task. Password policies often enforce regular updates, but not all users follow through. This article will guide you through a simple Graph PowerShell script to identify M365 users who have not changed their password in the last 90 days. By using this script, administrators can easily monitor and enforce password policies to ensure compliance and security.

The Script

# Define the time threshold for 90 days ago
$daysAgo = (Get-Date).AddDays(-90)

# Fetch all users with their password change dates and other required properties
$users = Get-MgUser -All -Property DisplayName, UserPrincipalName, LastPasswordChangeDateTime, Mail

# Filter users who have not changed their password in the last 90 days
$stalePasswordUsers = $users | Where-Object { $_.LastPasswordChangeDateTime -lt $daysAgo }

# Create output table
$stalePasswordUsers | Select-Object `
    DisplayName
    UserPrincipalName
    @{Name="Password Last Changed"; Expression={ $_.LastPasswordChangeDateTime }}
    Mail | Format-Table -AutoSize

How the Script Works

  • Time Threshold Calculation: The first step is to define the date 90 days ago from today using PowerShell's AddDays(-90) method, which subtracts 90 days from the current date.
  • Fetching Users from Azure AD: The script uses the Get-MgUser cmdlet to fetch all users from Azure AD along with their DisplayName, UserPrincipalName, LastPasswordChangeDateTime, and Mail properties.
  • Filtering Users: The script filters out users whose LastPasswordChangeDateTime is older than 90 days using the Where-Object cmdlet.
  • Displaying Results: Finally, the script formats the filtered list into a table displaying DisplayName, UserPrincipalName, Password Last Changed, and Mail.

Further Enhancements

  • Export to CSV: Administrators can easily export the results to a CSV file for further analysis or reporting:
  • $stalePasswordUsers | Select-Object DisplayName, UserPrincipalName, @{Name="Password Last Changed"; Expression={ $_.LastPasswordChangeDateTime }}, Mail | Export-Csv -Path "C:\StalePasswordUsers.csv" -NoTypeInformation
  • Email Notification: Automatically send email notifications to users whose passwords are older than 90 days, reminding them to update their passwords:
  • foreach ($user in $stalePasswordUsers) {
        Send-MailMessage -To $user.Mail -Subject "Password Update Reminder" -Body "Dear $($user.DisplayName), your password is outdated. Please update it." -SmtpServer "smtp.yourdomain.com"
    }
  • Integrating with Password Policy Enforcement: This script can be combined with existing password policy enforcement scripts to automatically lock or flag accounts if users haven’t updated their passwords within a specific period.

Possible Errors & Solutions

Error Cause Solution
Insufficient Permissions Error You might not have the required permissions to read user data. Ensure you have the necessary permissions (e.g., User.Read.All or Directory.Read.All) granted in Azure AD for your application or user account.
Empty Results Sometimes the LastPasswordChangeDateTime might return empty for certain users. Check if password policies are enforced for all users. Service accounts or certain privileged accounts might not follow the standard password update policies.
PowerShell Session Timeout The session may time out when querying a large number of users. Use paging or filtering methods in the Graph API to limit the number of users fetched at once. You can also adjust session timeout settings if possible.

Conclusion

Tracking users who haven’t changed their passwords within the last 90 days is essential to maintaining security and enforcing password policies in M365 environments. The Graph PowerShell script provided here is a simple yet effective way to stay on top of password changes across your organization. You can also extend this script to include email notifications or automate policy enforcement. Ensure you have the required permissions and handle errors gracefully for a smooth experience.

By implementing this script, you’ll have greater control over user password hygiene, improving the overall security of your M365 tenant.

© m365corner.com. All Rights Reserved. Design by HTML Codex