25,080 questions
I wonder if the attribute "RefreshTokensValidFromDateTime" when doing a get-azureaduser property represents the last password change? Can someone verify that?
Azure AD Cloud User - find when password will expire
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 41%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
Komoroske, Gina
386
Reputation points
We have an Azure AD user in our B2B tenant we would like to calculate when the password will expire. I cannot seem to find a way to do this in Azure. I've tried get-azureaduser select-object * and I can see a bunch of properties, but not any I'm looking for. I can see the "PasswordNeverExpires" is set to False, but how do I find out further details (when pwd was last set, when will it expire, etc).
Thanks in advance.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
Komoroske, Gina 386 Reputation points
2019-12-05T21:41:36.31+00:00 -
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator2019-12-05T21:46:40.497+00:00 It does not. Use the LastPasswordChangeTimestamp as suggested above.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 85%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Heiko 1 Reputation point2021-06-18T09:46:54.083+00:00 it is
StsRefreshTokensValidFrom : 23.03.2021 07:09:00
LastPasswordChangeTimestamp : 23.03.2021 07:09:00
Sign in to comment -
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
2019-12-04T15:22:20.75+00:00 B2B users don't authenticate against your Azure AD instance, their passwords are managed in the home tenant. Thus you cannot get this information.
For a regular user, you can calculate the expiration date based on the LastPasswordChangeTimestamp value and the corresponding password policy settings. There are sample scripts available online if you need a ready to use solution. Again, that's for your own users, not guests.
-
Komoroske, Gina 386 Reputation points
2019-12-04T15:33:06.807+00:00 Sorry, I probably worded this wrong. We have an Azure tenant, and in that tenant we have an Azure Active Directory, this is where that user account lives. It is a cloud only account, it is not synced with any on premise directory, etc.
The command that gives me 'some' properties is this one:
Get-AzureADUser -ObjectId ******@mytenant.onmicrosoft.com | Select-Object *But I'm looking to find out when this user changed pwd so I can calculate when it'll expire.
Does that help?-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
2019-12-04T15:53:26.06+00:00 The Azure AD module is still lacking for some operations and some attributes are not exposed there, use the good old MSOnline module instead. Or call the Graph API directly if you prefer
-
Komoroske, Gina 386 Reputation points
2019-12-05T21:40:44.687+00:00 wow, frustrating to have to use msonline module! But thanks for suggesting that, I didn't try it because I hadn't used that for years. . . . but it worked. Too bad MS couldn't add that to the new modules
Sign in to comment -