This post was originally published here
This blog post is more of a reminder for myself as much as anything. I had a need to mark some service accounts in Azure AD so that their passwords dont expire.
The aim was that we had a few service accounts used in a couple of places and we wanted to have a controlled process to change their passwords.
To do this we did the following:
- Create a group to store associate all of the service accounts for our project for easy management
- Add all of the service accounts to that group
- Run a script which will check every member of the group and to change the password policy so the password doesnt expire
I had a look online and couldnt really find a resource showing how to do this which didnt use the old Office 365 mso powershell functionality so I thought id share this for anyone else who might find it useful.
Below is the script I used and usually run each time we might need a new service account where we want more granular control of the changing of passwords for service accounts.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted install-module azuread get-module azuread function ProcessUsers([string] $groupName) { Write-Host 'Processing Users Function strted' $ServiceAccountsGroup = Get-AzureADGroup -SearchString $groupName -All $true Write-Host 'Group Found' $ServiceAccountsGroup.DisplayName Write-Host 'Group Found' $ServiceAccountsGroup.ObjectId $groupMembers = Get-AzureADGroupMember -ObjectId $ServiceAccountsGroup.ObjectId -All $true Foreach ($member in $groupMembers) { Write-Host $member.DisplayName $user = Get-AzureADUser -ObjectId $member.ObjectId Write-Host 'Pre-update Password Policy: ' $user.PasswordPolicies Set-AzureADUser -ObjectId $user.ObjectId -PasswordPolicies DisablePasswordExpiration $user = Get-AzureADUser -ObjectId $member.ObjectId Write-Host 'Post-update Password Policy: ' $user.PasswordPolicies Write-Host 'AccountEnabled: ' $user.AccountEnabled Write-Host '' Write-Host '' } Write-Host 'Processing Users Function Ended' } $cred = Get-Credential Connect-AzureAD -Credential $cred ProcessUsers -groupName '<Group name goes here>' Write-Host 'All Done'