Set an individual user's password to never expire

This article explains how to set a password for an individual user to not expire. You have to complete these steps using PowerShell.

Before you begin

This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. What's an admin account?.

You must be an global admin or password administrator to perform these steps.

A global admin for a Microsoft cloud service can use the Azure Active Directory PowerShell for Graph to set passwords not to expire for specific users. You can also use AzureAD cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire.

This guide applies to other providers, such as Intune and Microsoft 365, which also rely on Azure AD for identity and directory services. Password expiration is the only part of the policy that can be changed.

Note

Only passwords for user accounts that are not synchronized through directory synchronization can be configured to not expire. For more information about directory synchronization, see Connect AD with Azure AD.

How to check the expiration policy for a password

For more information about the Get-AzureADUser command in the AzureAD module, see the reference article Get-AzureADUser.

Run one of the following commands:

  • To see if a single user's password is set to never expire, run the following cmdlet by using the UPN (for example, *user@contoso.onmicrosoft.com*) or the user ID of the user you want to check:

    Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
        N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
    }
    

    Example:

    Get-AzureADUser -ObjectId userUPN@contoso.com | Select-Object UserprincipalName,@{
        N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
    }
    
  • To see the Password never expires setting for all users, run the following cmdlet:

    Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
        N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
     }
    
  • To get a report of all the users with PasswordNeverExpires in Html on the desktop of the current user with name ReportPasswordNeverExpires.html

    Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
        N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
    } | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html
    
  • To get a report of all the users with PasswordNeverExpires in CSV on the desktop of the current user with name ReportPasswordNeverExpires.csv

    Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
        N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
    } | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv
    
    

Set a password to never expire

Run one of the following commands:

  • To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

    Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration
    
  • To set the passwords of all the users in an organization to never expire, run the following cmdlet:

    Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration
    

Set a password to expire

Run one of the following commands:

  • To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

    Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None
    
  • To set the passwords of all users in the organization so that they expire, use the following cmdlet:

    Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None
    

Warning

User accounts configured with the -PasswordPolicies DisablePasswordExpiration parameter still age based on the pwdLastSet user account attribute. For example, if you set user passwords to never expire and then 90 or more days go by, the passwords still expire. Based on the pwdLastSet user account attribute, for user accounts configured with the -PasswordPolicies None parameter, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in.This change can affect a large number of users.

Let users reset their own passwords

Reset passwords