Imagine you had a specific user setup (a service account) to run all your Azure Automation runbooks. Then all of a sudden things stopped working, no runbooks worked anymore. You then troubleshoot and find that the password for the Azure AD account used in your runbooks has expired.
By default when creating Azure AD account the password is set to expire and if you try to logon to PowerShell with an account which has an expired password, this is what you would see:
Login-AzureRmAccount : AADSTS50055: Password is expired
Previously this was fixed using the old MSOLUser cmdlets:
Set-MsolUser -UserPrincipalName powershell@<tenant>.onmicrosoft.com -PasswordNeverExpires $True
This can now be easily fixed with the new Azure AD PowerShell module. The script below walks you through the process.
As a tip, you can get the Tenant ID when logging on to Azure in PowerShell using Login-AzureRmAccount or selecting a particular Azure subscription Select-AzureRmSubscription. However, this only logs you into your Azure subscription, not Azure AD, why you have to run the cmdlet below Connect-AzureAD in the script separately to logon to Azure AD.
| # Install the new Azure AD module – as administrator | |
| Install-Module AzureAD | |
| $user = "powershell" | |
| # Connect to the AzureAD | |
| Connect-AzureAD –TenantId 'h8c94336-3a68-12d7-h456-736458936j21' | |
| # Get & see the Password Policy – it might exist already | |
| (Get-AzureADUser –SearchString $user).PasswordPolicies | |
| # Add the password policy to Disable Password Expiration | |
| Get-AzureADUser –SearchString $user | Set-AzureADUser –PasswordPolicies DisablePasswordExpiration |
Thanks for the help, I hope one day they will do the same for MFA settings. The MSOL cmdlets are the worst thing I have ever been forced to deal with.