Set an individual user's password to never expire
Check out all of our small business content on Small business help & learning.
This article explains how to set a password for an individual user to not expire. You have to complete these steps using PowerShell.
Before you begin
This article is for people who set password expiration policy for a business, school, or nonprofit. You must be a global admin or password administrator to perform these steps.
You can use the Microsoft cloud service Microsoft Graph Powershell to set passwords not to expire for specific users, remove the never-expire configuration or see which users' passwords are set to never expire.
This guide applies to other providers, such as Intune and Microsoft 365, which also rely on Microsoft Entra ID for identity and directory services. Password expiration is the only part of the policy that can be changed.
How to check the expiration policy for a password
Use the Connect-MgGraph
command to sign in with the required scopes. You need to sign in with an admin account to consent to the required scopes.
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"
The command prompts you to go to a web page to sign in using a device code. Once you've done that, the command indicates success with a Welcome To Microsoft Graph!
message. You only need to sign in once per session.
Run one of the following commands:
To see if a single user's password is set to never expire, run the following cmdlet by using the UPN (for example, [email protected]) or the user ID of the user you want to check:
Get-MGuser -UserId <user id or UPN> -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
Example:
Get-MGuser -UserId [email protected] -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
To see the Password never expires setting for all users, run the following cmdlet:
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} }
To get a report of all the users with PasswordNeverExpires in Html on the desktop of the current user with name ReportPasswordNeverExpires.html
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html
To get a report of all the users with PasswordNeverExpires in CSV on the desktop of the current user with name ReportPasswordNeverExpires.csv
Get-MGuser -All -Property UserPrincipalName, PasswordPolicies | Select-Object UserprincipalName,@{ N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"} } | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv
Set a password to never expire
Run one of the following commands:
To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:
Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration
To set the passwords of all the users in an organization to never expire, run the following cmdlet:
Get-MGuser -All | Update-MgUser -PasswordPolicies DisablePasswordExpiration
Warning
User accounts configured with the -PasswordPolicies DisablePasswordExpiration
parameter still age based on the pwdLastSet
attribute. Based on the pwdLastSet
attribute, if you change the expiration to -PasswordPolicies None
, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.
Set a password to expire
Run one of the following commands:
To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:
Update-MgUser -UserId <user ID> -PasswordPolicies None
To set the passwords of all users in the organization so that they expire, use the following cmdlet:
Get-MGuser -All | Update-MgUser -PasswordPolicies None
Related content
Let users reset their own passwords (article)
Reset passwords (article)
Set the password expiration policy for your organization (article)