Identifying Azure Users with Non-Compliant Password Expiration Settings

Many organizations have a security requirement that user passwords must expire and be changed after a certain period. Here is how you can find Azure users with non-compliant password settings.

Patrick Londa
Jun 9, 2022
 min read
Share this post

Many organizations use a strict password policy to ensure that no bad actors gain unauthorized access to their information systems.

For this reason, companies set rules for password creation, such as the format of the password and expiry. The latter sets the expiration date for user passwords, after which they must change their password or won't be able to access the system. Users with higher-level access may be able to change their password policy settings, so it's imperative to implement the policy at every level.

Microsoft Azure provides enterprises with the capability to set Azure AD password policy for their users. However, to guarantee the effectiveness of the policy, it's important to ensure compliance. If an organization has a password expiry policy in place, it can use the Azure Active Directory (AD) to check if there are any non-compliant users.

azure logo
slack logo
Blink Automation: Find Azure Users with "Password Never Expires" Enabled and Send Report to Slack
Azure + Slack
Get Started

Searching for Users with Non-Compliant Password Expiration

You can check the password expiration policy for users using Azure AD. You'll need to first connect to Azure AD through PowerShell. Here's how you connect:

  1. Run PowerShell as an admin and run the Connect-AzureAD cmdlet.
  2. Enter the Azure admin username and password and log in.

If multi-factor authentication is in place, you must complete the next steps to successfully log in (for example, use the interactive option).

Once you're logged in, there are two ways you can check for non-compliant password settings. Either you can check if an individual user's password expiry settings are set to "password never expires," or you can list all user password settings.

Since we are interested in finding all users with non-compliant "password never expires" settings, it's better to go with the second option.

To do that, run the following commands in the cmdlet:

Get-AzureADUser -All $true | Select-Object UserPrincipalName,
@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains

This command will produce a list of users and password expiration settings under “PasswordNeverExpires”. The ones with the value “True” under “PasswordNeverExpires” have non-compliant password settings.

After finding the user list, disconnect the session from the tenant used to log in to Azure AD.

Setting Azure AD Password Policy to Set Password Expiry Duration

If you find non-compliant users, a surefire way to ensure they comply is to set the Azure AD password policy accordingly. In other words, you can set an expiry duration for user passwords.

This can be configured by the Set-MsolPasswordPolicy command.

This setting can update the password policy for a specific domain. For example, it will ask for the Domain name, Validity Period, and Notification Days.

By default, the password validity duration value is 90 days. However, you can set a different duration. Similarly, you can also set a notification duration at which point the user will be notified to change their password before it expires.

Run Security Checks on Password Policies with Blink

It's the admin or cloud security team's responsibility to ensure compliance with the company's password policy, which is part of the overall digital security policy. Running manual checks like this might be a context-switch from your team’s typical work.

With a free Blink account, you can schedule automated checks just like this one so you can ensure password compliance in just a couple of clicks.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo