Whether you’re managing Exchange Server or Windows Server, password management is an important task for any administrator....
The song remains the same for Office 365. Because Microsoft gives you better control of Office 365’s features and functions at the command line, you should know the commands you’ll need to change users’ passwords from there, as well as how to set them to never expire when the situation warrants it.
Carrying out administrative tasks using Office 365’s Web-based GUI is in many ways more difficult than managing them in Windows. In Windows, you’re responsible for a wide range of configuration tabs that house all the properties associated with each user. Dealing with them in Office 365 adds the extra overhead of the Web, plus you have to wait for Web pages to refresh.
Office 365’s administrative console is essentially a “skin” for PowerShell commands that perform the actual work. Any user management that can be performed via the GUI can also be done at the command line -- if you’ve got the right commands.
More on Office 365:
Office 365: Eases storage woes, keeps admins busy
Two common activities associated with users are changing their passwords and, for the privileged few, setting passwords to never expire. By default, Office 365 requires user passwords to be changed every 90 days. In my experience, this can be a nuisance when excessive security isn’t of utmost importance.
Changing a user’s password requires knowing his UserPrincipalName, which maps to the primary login credential associated with said user. For most users, the UserPrincipalName looks like the following: userName@domain.onmicrosoft.com.
Armed with that info, you can use the following PowerShell command to change the user’s password:
Set-MsolUserPassword -UserPrincipalName firstname.lastname@example.org -NewPassword "P@ssw0rd!"
In certain cases, you might not need to change a password to anything specific, but instead to a random value. Office 365 can supply that random password for you by eliminating the –NewPassword argument. The cmdlet looks like this:
Set-MsolUserPassword -UserPrincipalName email@example.com
After running the above command, Office 365 will display the password it generates, which you can then share with your users.
With a tip of the hat to security best practices, there occasionally comes a time when a user’s account shouldn’t undergo a regular password change. Using Office 365’s PowerShell, you can set those passwords to never expire with the following command:
Get-MsolUser -UserPrincipalName firstname.lastname@example.org | Set-MsolUser -PasswordNeverExpires $true
Note that the command actually sets the user’s PasswordNeverExpiresproperty to $true. If you want to verify whether a user’s password will expire or not, use the following command:
Get-MsolUser -UserPrincipalName email@example.com |fl *
In the list that appears, look for the PasswordNeverExpires property. You’ll find it along with the surprisingly short list of other user properties that Office 365 tracks.
ABOUT THE AUTHOR:
Greg Shields, MVP, is a partner and principal technologist with Concentrated Technology. An IT industry analyst, author, speaker and trainer, you can find Greg at www.concentratedtech.com.