Azure AD Disable Password Expiration

Imagine you had a specific user setup (a service account) to run all your Azure Automation runbooks. Then all of a sudden things stopped working, no runbooks worked anymore. You then troubleshoot and find that the password for the Azure AD account used in your runbooks has expired.

By default when creating Azure AD account the password is set to expire and if you try to logon to PowerShell with an account which has an expired password, this is what you would see:

Login-AzureRmAccount : AADSTS50055: Password is expired

Previously this was fixed using the old MSOLUser cmdlets:

Set-MsolUser -UserPrincipalName powershell@<tenant> -PasswordNeverExpires $True

This can now be easily fixed with the new Azure AD PowerShell module. The script below walks you through the process.

As a tip, you can get the Tenant ID when logging on to Azure in PowerShell using Login-AzureRmAccount or selecting a particular Azure subscription Select-AzureRmSubscription. However, this only logs you into your Azure subscription, not Azure AD, why you have to run the cmdlet below Connect-AzureAD in the script separately to logon to Azure AD.

# Install the new Azure AD module – as administrator
Install-Module AzureAD
$user = "powershell"
# Connect to the AzureAD
Connect-AzureAD TenantId 'h8c94336-3a68-12d7-h456-736458936j21'
# Get & see the Password Policy – it might exist already
(Get-AzureADUser SearchString $user).PasswordPolicies
# Add the password policy to Disable Password Expiration
Get-AzureADUser SearchString $user | Set-AzureADUser PasswordPolicies DisablePasswordExpiration

One Comment

  1. Thanks for the help, I hope one day they will do the same for MFA settings. The MSOL cmdlets are the worst thing I have ever been forced to deal with.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s