How to: Office 365 password policy management with PowerShell
The PowerShell scripts given below can be used for Office 365 password policy management. ADSelfService Plus, the Active Directory self-service password management and single sign-on solution, provides advanced password policy settings that could be applied for both on-premises and cloud applications including Office 365, G Suite, etc. By integrating Active Directory with Office 365, ADSelfService Plus helps IT admins apply one custom password policy for users Office 365 and Windows Azure AD cloud accounts.
The following is a comparison between password policy management in Office 365 with Windows PowerShell and ADSelfService Plus:
- Modify the password policy for Office 365 users
Using PowerShell, only the maximum password age can be modified. Other password policy settings cannot be managed using PowerShell.
Set-MsolPasswordPolicy -DomainName <Domain Name> –ValidityPeriod <Number Of Days>
- Set the password to never expired for Office 365 users
Set-msoluser –UserPrincipalName <UserPrincipalName> -PasswordNeverExpires $True
With ADSelfService Plus
- Configure a custom password policy for Office 365 accounts via the Password Policy Enforcer
- Go to ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Password Policy Enforcer.
- Enable Enforce Custom Password Policy.
- Configure the required advanced password policy settings.
- Click Save.
- Configure password expiration alerts via SMS, email, and push notifications
- Go to Configuration > Password Expiration Notifier.
- Enter the Scheduler Name and select the Notification Type.
- Select the domains, OUs, or groups for which you want to send alerts.
- From the Notify via drop-down, select the medium (SMS and/or email) through which you want to send notifications.
- Set the Schedule Time and configure the Notification Frequency as:
- Click Save.
What are the limitations of managing password policies in Office 365 via PowerShell?
- The Office 365 administrator cannot configure password policy parameters like enforcing password history, minimum password length, or ensuring password complexity.
- No support for self-service password reset portal without Azure AD premium subscription.
- No support to remind Office 365 users via email and SMS before their password expires.
- Password self-service:
Allows users to perform self-service password reset on their Active Directory and Office 365 accounts.
- Improves IT security:
Provides advanced multi-factor authentication including biometrics and QR-code authentication self-service password reset.
- Universal enforcement
Admins can enforce custom password management capabilities for users' Office 365 accounts.
- Improves the user experience
Allows users to reset Office 365 passwords from a secure web-portal, from anywhere, at any time.