Office 365 - Non-Federated Identity, Password never expires
The Microsoft Online Services Module allows you manage your tenant directly and in some cases change settings you can’t change in GUI (note this can only be achieved if you’re managing accounts that have been created in the tenant e.g. not created using Dirsync/ADFS). To access Remote PowerShell to the Service Portal you will need to install the following prerequisites:-
- Operating system: Use Windows 7 or Windows Server 2008 R2.
- Microsoft .NET Framework: You must turn on the Microsoft .NET Framework 3.51 feature in Windows 7 or Windows Server 2008 R2.
- Windows PowerShell 2.0 and AD FS 2.0: In order to run the cmdlets to set up single sign-on, you must turn on the Windows PowerShell 2.0 feature, and you must have administrator privileges on the AD FS 2.0 server. We recommend that you use remote access to the AD FS 2.0 server when you run the cmdlets; to do this you must use Windows PowerShell remoting.
- All Office 365 software updates: From the Office 365 downloads page, install the required updates. To access the Office 365 downloads page, sign in to the Office 365 portal, and, under Resources, click Downloads. These updates are required because the features in Office 365 will not work properly without the appropriate versions of operating systems, browsers, and software.
- Sign-In Assistant
Download the Microsoft Online Services Module
The Microsoft Online Services Module for Windows PowerShell is a download that comes with Office 365. This tool installs a set of cmdlets to Windows PowerShell (you run those cmdlets to set up single sign-on for Office 365).
In this case i want stop user(s) from being prompted to change their password. In order to do this you can run the Microsoft Online Services Module from the shortcut menu and connect to your Office 365 Tenant by running the following commands:-
- Connect-MSOLService –Credential $MSOLCred –Verbose
You will need to enter your tenant credentials, once you have done this you can check what the current settings are by running
- get-MsolUser –UserPrincipalName <UPNName> | fl
Note that PasswordNeverExpires is set to false, you can then change the setting for either that individual user or all users
- All users - Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True
- Individual user - Set-msoluser –UserPrincipalName <UPNName> -PasswordNeverExpires $True
Run the this command again to ensure that the settings have taken effect and that PasswordNeverExpires is set to True
- get-MsolUser –UserPrincipalName <UPNName> | fl
Also if you don’t want the user t be prompted when they login you can run the following command
- Set-MsolUserPassword –userPrincipalName <UPNName> -NewPassword "P@ssword" -ForceChangePassword $false
If you want to know a list of commands run
- get-command –module msonline
This is the output (so as you can see its a pretty powerful tool, for example you can automate the provisioning of licenses for example):-
Add-MsolGroupMember
Add-MsolRoleMember
Confirm-MsolDomain
Connect-MsolService
Convert-MsolDomainToFederated
Convert-MsolDomainToStandard
Convert-MsolFederatedUser
Get-MsolAccountSku
Get-MsolCompanyInformation
Get-MsolContact
Get-MsolDomain
Get-MsolDomainFederationSett.
Get-MsolDomainVerificationDns
Get-MsolFederationProperty
Get-MsolGroup
Get-MsolGroupMember
Get-MsolPartnerContract
Get-MsolPartnerInformation
Get-MsolRole
Get-MsolRoleMember
Get-MsolSubscription
Get-MsolUser
Get-MsolUserRole
New-MsolDomain
New-MsolFederatedDomain
New-MsolGroup
New-MsolLicenseOptions
New-MsolUser
Remove-MsolContact
Remove-MsolDomain
Remove-MsolFederatedDomain
Remove-MsolGroup
Remove-MsolGroupMember
Remove-MsolRoleMember
Remove-MsolUser
Set-MsolADFSContext
Set-MsolCompanyContactInform.
Set-MsolCompanySettings
Set-MsolDirSyncEnabled
Set-MsolDomain
Set-MsolDomainAuthentication
Set-MsolDomainFederationSett.
Set-MsolGroup
Set-MsolPartnerInformation
Set-MsolUser
Set-MsolUserLicense
Set-MsolUserPassword
Set-MsolUserPrincipalName
Update-MsolFederatedDomain
Written by Daniel Kenyon-Smith