25,230 questions
Are you using risk based conditional access policies that force a password change if the risk is met?
Office 365 password policy tenant vs. individual user's password policy
Yannick Schlecht
21
Reputation points
Hi all
We have set the org tenant level password policy to "passwords never expire".
(Microsoft 365 admin center, go to Security & privacy tab, select Password expiration policy, Set passwords to never expire, see https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide#set-password-expiration-policy)
In the last days a couple of users were forced to change their password although we set org tenant level password policy to "passwords never expire" (the policy was set over half a year ago and didn't change).
Any ideas why? I expect, that no users have to change their passwords.
I checked the org tenant password policy also with PowerShell:
Get-MsolPasswordPolicy -DomainName <domain> | fl
The result is:
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 14
ValidityPeriod : 2147483647
If I check the Microsoft 365 user details with the following PowerShell command:
Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
The result is:
- The attribute "PasswordNeverExpires" is "False" or empty
Do the org settings not take effect?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
4 answers
Sort by: Most helpful
-
-
Yannick Schlecht 21 Reputation points
2022-09-01T07:10:01.103+00:00 No, we haven't configured any conditional access policies at all. The users are cloud only (no on-prem infrastructure).
-
Vasil Michev 119.9K Reputation points MVP Volunteer Moderator2022-09-01T07:58:49.173+00:00 Afaik the (domain-based) password policy setting does not apply retroactively, i.e. it will only take effect once the user has changed their password (which in turn is subject to the previous expiration window).
-
Yannick Schlecht 21 Reputation points
2022-09-01T18:57:18.867+00:00 @Vasil Michev : thank you for your input.
I executed the script from here:
https://o365reports.com/2020/02/17/export-office-365-users-last-password-change-date-to-csv/Result:
- Pwd Expiry Date is empty for all users
- Days since Expiry / Days to Expiry is also empty for all users
Is it possible, that Microsoft choose that tenant randomly for modern authentication (i have no info in the admin message center)? I guess this would not enforce a password reset?
I will do more checks and maybe I will open a support ticket.
-
Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
2022-09-02T08:08:46.007+00:00 Modern auth doesn't affect existing passwords or their expiration. Not familiar with the script above, but you should check the value of LastPasswordChangeTimestamp for the affected users. Or you can force a password reset on them, here's a sample article: https://www.michev.info/Blog/Post/1419/force-password-change-for-all-users-in-office-365
Sign in to comment -
-
Yannick Schlecht 21 Reputation points
2022-09-21T17:56:04.923+00:00 I received answer from Microsoft - it was a problem with the service, therefore this behavior occurred. All the configurations are correct. The "Password Never Expires" Policy is set to "Yes" on tenant level.
Answer from Microsoft:
I examined our logs and found that there was a service incident between 8/26 and 8/31 where users were prompted to enter their password multiple times. This issue occurred after a small update, and my colleagues fixed it soon after. There should be no more problems. We sincerely apologize for the inconvenience. You can also forward this email to your customers as a confirmation.