(Cloud) Tip of the Day: Set password policies for AAD user accounts


If you are using a service that uses Azure Active Directory as the identity platform such as Office 365, Intune, or Azure, you can change users password expirations in different domains.

For example, in one domain, you can have passwords expire every 45 days. And, in another, you can have passwords expire every 90 days.

To do this, you will need to use Azure Active Directory Module for Windows PowerShell and use the Set-MsolPasswordPolicy cmdlet.

Here are the available parameters for Set-MsolPasswordPolicy

    -DomainName <string>

        The fully qualified domain to apply policies to.

    -NotificationDays <int>

        Specifies the number of days before the password expiration date that will trigger when users will receive

        their first notification that their password will soon expire.

    -ValidityPeriod <int>

        Specifies the length of time that a password is valid before it must be changed.

First install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package.

Then perform the following steps…

  1. Open Azure Active Directory Module for Windows PowerShell
  2. Run the following cmdlet…
    Connect-MsolService
    Note When prompted, provide your global administrator credentials
  1. Then run the following similar series of cmdlets to change the expiration time of passwords…
    Set-MsolPasswordPolicy -DomainName contoso.com-ValidityPeriod 45 -NotificationDays 60

Set-MsolPasswordPolicy -DomainName fabrikam.com -ValidityPeriod 90 -NotificationDays 105


Comments (0)

Skip to main content