When surfing to your office 365 tenant you can get an alert that your password is going to expire in XX days.

O365

I tried to change/reset the password but failed to do it. On Microsoft Answers I found that we could manage our password expiration policy and therefore we need to surf to: Office 365 admin center > service settings > passwords.

Office 365

But In this user interface we cannot set an account to “not expire” however, as a workaround; we can set the Days before the passwords expire to a maximum of 730 days (2 years). It could be a workaround but it isn’t. I need to disable this.

After searching a while it seems that with Office 365, everything seems to be (very) easy in PowerShell. I also found that in office 365 you only need two lines to disable the password policy.

Office 365

First open the Microsoft Online Services Module for Windows PowerShell and notify the same alert appearing at the Task bar (Download: 32bit or 64bit).

Office 365

You have to connect to your Office 365 tenant and therefore you need to use the connect-MsolService command. This will open you a little sign-in box where you need to insert the Office365 Administrator User Name and Password.

You should now be connected to your O365 Tenant. Hit the following to get an overview of your account: get-msoluser |fl

Office 365

You can see that the PasswordNeverExpires attribute/property hasn’t any value. With the following PowerShell command you can enable this: Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True

 1

Office 365

Finally; your user has now a password that never will expire but is will every corporate accept this? Is this secure enough? I have my doubts… So let’s check what more we can do with passwords on Office 365.

Password Best Practices

According to Cogmotive a few Best Practices for Office 365 Password can be divided in in multiple parts like:

1 Use complex and long Passwords

According to TechNet Passwords must contain characters from three of the following five categories:

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

2 Use a Managed Account for your Admin User

Like as SharePoint Server you can create Managed Accounts for your Office 365 Tenant. Let’s take the example that you have an Office 365 account called gokanx@meloon.onmicrosoft.comthat you use everywhere (Exchange, Server, Lync, Managing Office365…). Bad choice! You should create a separate account called office365ga@meloon.onmicrosoft.com that has Global Administrator role and use this account only for logging in to the Microsoft Portal/PowerShell.

This user account doesn’t even require an Office 365 license as it most likely doesn’t need a mailbox. This means you will not be charged by Microsoft for this additional Administrative account.

Let’s create a generic Managed Account. Surf to the users and groups on the Office 365 Administration Center and hit the little “+”.

Office 365

Provide a First Name, Last name and a User Name and hit Next.

Office 365

We have to select a role to our Office 365 Global Administrator. As we are creating a Global Administrator please select Global Administrator role and provide NON-OnMicrosoft email address in case of you forget your password.

Office 365

 A few times ‘Next’ and your user is created and ready for use! Please don’t forget to remove the Global Administrator role(s) from all previous person(s) to complete this action.

3 Enable Multi-Factor Authentication

According to TechNet Multi-factor authentication adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password.

Therefore again on the same screen click Manage next to Multi-Factor Authentication at the top.

Office 365

Select the user that you want to enable the Multi-Factor Authentication – in my case the Office 365 Global Administrator that I just created – and hit Enable.

 Office 365

A new Pop-up will appear and you only have to click ‘yes enable Multi-factor authentication’ for that user.

Office 365

Now that you have enabled Multi-Factor Authentication we need to log out and log back in as the user you selected above.

On first login you will be prompted to configure the Multi-Factor authentication settings. Asking new password. Provide the old and new Password.

Office 365

Office 365 isn’t as usual redirecting you to the Office 365 Admin Center but requires a little setup for additional security verification. Hit; “Set it up now”

 Office 365

Select your country, provide a phone number and ask to receive a text message. Be aware and careful, this isn’t free! Standard telephone and SMS chargers will apply to you.

 Office 365

A few seconds later you will receive on your smartphone a text message from Microsoft Online Services providing my verification code.

 Office 365

Write the same code on the screen and hit verify.

Office 365

When you try to connect with the user that got enabled Multi-Factor Authentication, Office 365 will ask you your password and a verification code from Microsoft.

Office 365And voila, your Mutli-Factor Authentication is set-up! You now have a Password who never expire and need a verification code to sign in!

4 Use a separate Administrator Account for PowerShell Access

What we now can do is create a new Administrator account, which doesn’t have Multi-Factor Authentication enabled and only use for accessing PowerShell.

This administrator account will be disabled unless we explicitly want to use it. For most people this will not be an issue as they only connect to Office 365 using PowerShell once every few weeks.
Create again a user as shown a few steps earlier. Provide a First Name, Last Name and a User Name.

 Office 365

Select the role and provide an email address.

1

At the next screen select ANY of these options and hit Next. Your user is now created with any of the following options.

Office 365

Connect with another user that has Global Administrator rights and edit the user Properties. You can now disable the user login. This means that the PowerShell Global Administrator can only use PowerShell when we want!

 Office 365

 Office 365

Other PowerShell commands

If you want to change this of another user please use the following PowerShell Command

Set-msoluser –UserPrincipalName gokanx@meloon.onmicrosoft.com -PasswordNeverExpires $True

Set a Predefined Password for office 365 user

Set-MsolUserPassword –UserPrincipalName gokanx@meloon.onmicrosoft.com –NewPassword P@ssw0rd -ForceChangePassword $false

Set a Temporary Password for a specific user

Set-MsolUserPassword –UserPrincipalName gokanx@meloon.onmicrosoft.com –NewPassword temPass01  -ForceChangePassword $true

Set a Temporary Password for all office 365 users

Get-MsolUser | Set-MsolUserPassword –NewPassword P@ssw0rd -ForceChangePassword $false

Set Office 365 Password Policy

Set-MsolPasswordPolicy -DomainName meloon.onmicrosoft.com -NotificationDays 720 –ValidityPeriod 730

References

Other Languages

This article is also available in the following languages: