none
O365 Powershell - How do I set a password to never expire just for global admins RRS feed

  • Question

  • I've have got over 45 O365 portals to manage and basically want to set the password expiry for global admins not to expire.

    I have got the script to connect to all of the portals, I can set individual users password to not expire and can also get a list of company administrator's using the get-msolrolemember

    How do I set the password expiry for a group of users based on msrolemember?

    Tuesday, February 9, 2016 2:57 PM

Answers

  • Global admins are the last group that should have passwords never expire.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, February 9, 2016 3:09 PM
    Moderator

All replies

  • First, a note - non-expiring passwords are RARELY a good idea.

    Perhaps someone here is familiar with O365 and can help you with this (I can't, I've never touched O365 and hope never to), but you might also want to ask the O365 community directly on their site:

    https://community.office365.com/en-us/f

    Good luck.


    Tuesday, February 9, 2016 3:01 PM
  • Hi cta,

    if you're going to the trouble to automate accessing all those accounts for user management ... why not simply change the password globally instead?

    Same as Mike, I've never had to deal with O365 and hopefully never will.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, February 9, 2016 3:04 PM
  • I don't want to set it globally for all users.  The password expipry only needs to be applied to global admins of o365.
    Tuesday, February 9, 2016 3:07 PM
  • Global admins are the last group that should have passwords never expire.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, February 9, 2016 3:09 PM
    Moderator
  • Thanks,

    I will have a look.  I know non-expiring passwords are not a good idea which is why I only want to it to apply to the global admin accounts which have to administer over 45 portals.

    Tuesday, February 9, 2016 3:09 PM
  • I know non-expiring passwords are not a good idea which is why I only want to it to apply to the global admin accounts which have to administer over 45 portals.

    The fact that these accounts have such wide authority is the exact reason their passwords should expire. In fact, these accounts should have even more stringent password restrictions than other accounts!

    I agree with the others. This is very bad idea, and you should not do this.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, February 9, 2016 4:28 PM
    Moderator
  • I would add, if a normal user is hacked, his indentity and files/email can be compromised. But if an Administrator is hacked, everyone's identity and files can be compromised. If passwords never expire, an attacker has unlimited time to guess the password by brute force. It no longer really matters how complex the password is, since the attacker can work on the password indefinitely.

    I also am not familiar with O365, but global administrator sounds like an account where consequences could be especially grave if the account is ever compromised. Nothing should ever be done for the convenience of administrators. Always, the consequences of a security breach should be considered with designing security features.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, February 9, 2016 5:16 PM
    Moderator
  • If you're doing it right, which is a telling statement, you would have different passwords for each account so that a compromise of one won't affect any other clients. Remember that passwords don't just get compromised by brute force attacks, user error or keylogging is a more likely scenario in most cases.

    Or to put it another way, Contoso might be really annoyed that they've lost their entire tenant because their supplier used the same password for Fabrikam as well and it got compromised.

    If you do have to share a password, which is bad, the better option would be to provide a way to update them all at once. At least that way you can update it regularly and on demand when needed.

    It sounds like you need a decent password safe tool.

    Tuesday, February 9, 2016 5:31 PM
  • Set-MsolUserPassword -ObjectId <Guid> [-ForceChangePassword <Boolean>] [-NewPassword <string>] [-TenantId <Guid>] [<CommonParameters>]

    https://msdn.microsoft.com/en-us/library/dn194140.aspx


    \_(ツ)_/

    Tuesday, February 9, 2016 7:03 PM