question

KomoroskeGina-5094 avatar image
0 Votes"
KomoroskeGina-5094 asked ·

Azure AD Cloud User - find when password will expire

We have an Azure AD user in our B2B tenant we would like to calculate when the password will expire. I cannot seem to find a way to do this in Azure. I've tried get-azureaduser select-object * and I can see a bunch of properties, but not any I'm looking for. I can see the "PasswordNeverExpires" is set to False, but how do I find out further details (when pwd was last set, when will it expire, etc).
Thanks in advance.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

B2B users don't authenticate against your Azure AD instance, their passwords are managed in the home tenant. Thus you cannot get this information.

For a regular user, you can calculate the expiration date based on the LastPasswordChangeTimestamp value and the corresponding password policy settings. There are sample scripts available online if you need a ready to use solution. Again, that's for your own users, not guests.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KomoroskeGina-5094 avatar image
0 Votes"
KomoroskeGina-5094 answered ·

Sorry, I probably worded this wrong. We have an Azure tenant, and in that tenant we have an Azure Active Directory, this is where that user account lives. It is a cloud only account, it is not synced with any on premise directory, etc.

The command that gives me 'some' properties is this one:

 Get-AzureADUser -ObjectId user@mytenant.onmicrosoft.com | Select-Object *

But I'm looking to find out when this user changed pwd so I can calculate when it'll expire.
Does that help?

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The Azure AD module is still lacking for some operations and some attributes are not exposed there, use the good old MSOnline module instead. Or call the Graph API directly if you prefer

1 Vote 1 · ·

wow, frustrating to have to use msonline module! But thanks for suggesting that, I didn't try it because I hadn't used that for years. . . . but it worked. Too bad MS couldn't add that to the new modules

0 Votes 0 · ·
KomoroskeGina-5094 avatar image
0 Votes"
KomoroskeGina-5094 answered ·

I wonder if the attribute "RefreshTokensValidFromDateTime" when doing a get-azureaduser property represents the last password change? Can someone verify that?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It does not. Use the LastPasswordChangeTimestamp as suggested above.

0 Votes 0 · ·