Wednesday, May 8, 2019

Set-MsolUser cmdlet from the Azure Active Directory Windows PowerShell module

Configure password expiration
You can use the Set-MsolUser cmdlet from the Azure Active Directory Windows PowerShell module to configure whether an Office 365 user’s password expires. This is inadvisable from a security perspective because a password that is not changed is more likely to be compromised. If you do choose, or are required, to configure an Office 365 user’s password to not expire, consider implementing multi-factor authentication as a way of increasing the user account’s authentication requirements.
To configure the password of the user Don Funk to never expire, use the command:
Set-MsolUser –UserPrincipalName don.funk@contoso2017er.onmicrosoft.com
–PasswordNeverExpires $true
You can configure the Office 365 tenancy so that passwords don’t expire for any of the user accounts by using the Set-MsolUser cmdlet in conjunction with the Get-MsolUser cmdlet. For example, to configure all user accounts so that their passwords do not expire, use the following command:
Get-MsolUser | Set-MsolUser –PasswordNeverExpires $true
You can change this back so that the password does expire if it has been configured not to expire by setting the PasswordNeverExpires parameter to $false. For example, to configure Don Funk’s user account so that the password follows the existing password policy, use the following command:
Set-MsolUser –UserPrincipalName don.funk@contoso2017er.onmicrosoft.com
–PasswordNeverExpires $false
You can use a similar technique to the one that you use to configure the Office 365 tenancy so that no user passwords expire to configure the Office 365 tenancy so that all passwords expire according to the tenancy password policy. To do this, issue the following command:
Get-MsolUser | Set-MsolUser –PasswordNeverExpires $false

More Info Set-MsolUser
You can learn more about the Set-MsolUser Windows PowerShell cmdlet at the following address: https://docs.microsoft.com/en-us/powershell/module/MSOnline/Set-MsolUser.

Password complexity
Office 365 user accounts stored in Azure Active Directory are subject to the Azure Active Directory password policy. As you saw earlier in this chapter, this means that all user account passwords need to be between 8 and 16 characters long and need to contain three of the following four characteristics: uppercase letters, lowercase letters, numbers, and symbols. You cannot change the Azure Active Directory password policy, because this is set by Microsoft. You cannot use the Office 365 Admin Center to exempt a user account from the Azure Active Directory password policy. You can, however, use a PowerShell command to exempt a user account from the requirement of having a strong password. You can do this with the Set-MsolUser cmdlet and the StrongPasswordRequired parameter. For example, to configure Don Funk’s Office 365 user account so that it does not have to conform to the Azure Active Directory password complexity policy, issue the following command:
Set-MsolUser –UserPrincipalName don.funk@contoso2017er.onmicrosoft.com
–StrongPasswordRequired $false
To switch an account back, pass $True to the parameter instead of $false. For example, to configure Don Funk’s Office 365 user account so that it must conform to the Azure Active Directory password complexity policy, issue the following command:
Set-MsolUser –UserPrincipalName don.funk@contoso2017er.onmicrosoft.com
–StrongPasswordRequired $true
Even though you can exempt a user from the Azure AD password policy using Windows PowerShell and not the Office 365 Admin Center, it would be difficult to find an adequate justification from a security perspective for doing so.

No comments:

Post a Comment

Remote Hybrid and Office work