PowerShell, Azure: Set passwords to never expire in Azure AD
Password strategy is hard. A lot of it seems to have been written by people who are very interested in the theoretical capabilities of hardware most people don't have just sitting around, and inversely little thought at all to the poor users sitting at the end of their intense policies.
My feelings on the matter are:
- Have a high password strength (length, complexity)
- Have MFA
- Restrict access be it via IP address. If you're in the UK. Block all IP address that aren't...
If you do those things then forcing regular password changes on users is not going to improve your security. I would argue that what it will actually reduce security as it will force users to write the down passwords. Especially if you have high complexity.
With this in mind, if you want to set passwords to never expire in Azure AD then do the following:
Make sure you have the AZ AD modules installed. To do that run the following from a PowerShell instance with administrator provilages
install-Module AzureAD
Agree to any pop ups relating to the installation of modules, then run the follwing:
Connect-AzureAD
You will get a credentials box popping up, and will take you through MFA.
and once you're in you will get something like this.
If you want to see if there any password polices set already then:
Get-AzureADUser -All $true | select DisplayName, PasswordPolicies
As you can see here I have 1 account set to not expire.
Finally to set the passwords to not expire:
Set-AzureADUser -ObjectId frank@domain.co.uk -PasswordPolicies DisablePasswordExpiration