Azure AD Set Passwords to Not Expire

by | Jan 14, 2019 | BizTalk Community Blogs via Syndication

This blog post is more of a reminder for myself as much as anything. I had a need to mark some service accounts in Azure AD so that their passwords dont expire.

The aim was that we had a few service accounts used in a couple of places and we wanted to have a controlled process to change their passwords.

To do this we did the following:

  • Create a group to store associate all of the service accounts for our project for easy management
  • Add all of the service accounts to that group
  • Run a script which will check every member of the group and to change the password policy so the password doesnt expire

I had a look online and couldnt really find a resource showing how to do this which didnt use the old Office 365 mso powershell functionality so I thought id share this for anyone else who might find it useful.

Below is the script I used and usually run each time we might need a new service account where we want more granular control of the changing of passwords for service accounts.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

install-module azuread
get-module azuread


function ProcessUsers([string] $groupName)
{
    Write-Host 'Processing Users Function strted'
     
    $ServiceAccountsGroup = Get-AzureADGroup -SearchString $groupName -All $true
    Write-Host 'Group Found' $ServiceAccountsGroup.DisplayName
    Write-Host 'Group Found' $ServiceAccountsGroup.ObjectId


    $groupMembers = Get-AzureADGroupMember -ObjectId $ServiceAccountsGroup.ObjectId -All $true

    Foreach ($member in $groupMembers)
    {
        Write-Host $member.DisplayName

        $user = Get-AzureADUser -ObjectId $member.ObjectId
        
        Write-Host 'Pre-update Password Policy: ' $user.PasswordPolicies
        Set-AzureADUser -ObjectId $user.ObjectId -PasswordPolicies DisablePasswordExpiration

        $user = Get-AzureADUser -ObjectId $member.ObjectId
        Write-Host 'Post-update Password Policy: ' $user.PasswordPolicies
        Write-Host 'AccountEnabled: ' $user.AccountEnabled

        Write-Host ''
        Write-Host ''
    }

    Write-Host 'Processing Users Function Ended' 
}


$cred = Get-Credential
Connect-AzureAD -Credential $cred
ProcessUsers -groupName '<Group name goes here>'
Write-Host 'All Done'