M365Corner
M365 PowerShell

Monitor Soon-to-Expire Passwords with Graph PowerShell [2025 Guide]

Ensuring that user passwords are regularly updated is a critical aspect of maintaining security in any organization. With Microsoft 365, administrators can use Graph PowerShell to automate the monitoring of password expiration. This article provides a PowerShell script that lists users whose passwords are soon to expire, explains how the script works, discusses potential enhancements, and addresses possible errors and solutions.


PowerShell Script to List Users with Soon-to-Expire Passwords

Below is the PowerShell script to list users whose passwords are expiring soon:

# Ensure the Microsoft Graph PowerShell module is installed and imported
Install-Module -Name Microsoft.Graph -Force -AllowClobber
Import-Module Microsoft.Graph

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All"

# Define the number of days before password expiration to alert
$daysBeforeExpiration = 14

# Get the current date
$currentDate = Get-Date

# Calculate the alert date
$alertDate = $currentDate.AddDays($daysBeforeExpiration)

# Retrieve all users with their password expiration details
$users = Get-MgUser -All -Property DisplayName, UserPrincipalName, PasswordPolicies, PasswordProfile

# Filter users whose passwords are expiring soon
$soonToExpireUsers = $users | Where-Object {
    $_.PasswordProfile.PasswordExpirationDate -and
    ($_.PasswordProfile.PasswordExpirationDate -lt $alertDate)
}

# Display the users with soon-to-expire passwords
$soonToExpireUsers | Select-Object DisplayName, UserPrincipalName, @{Name="PasswordExpirationDate";Expression={$_.PasswordProfile.PasswordExpirationDate}}

How the Script Works

  1. Installing and Importing Microsoft Graph Module: The script starts by ensuring that the Microsoft Graph PowerShell module is installed and imported. This module allows you to interact with Microsoft 365 services using PowerShell.
  2. Connecting to Microsoft Graph: It connects to Microsoft Graph using the Connect-MgGraph cmdlet with the necessary scopes to read user properties.
  3. Defining the Alert Period: The script defines a variable $daysBeforeExpiration to specify how many days before the password expiration users should be alerted.
  4. Calculating the Alert Date: It calculates the date by which passwords should be expiring to fall within the alert period using the current date and the defined alert period.
  5. Retrieving Users: The script retrieves all users from Microsoft 365, including their password expiration details.
  6. Filtering Users: It filters the users to find those whose passwords are expiring within the alert period.
  7. Displaying Results: Finally, the script displays the users whose passwords are soon to expire, including their display name, user principal name, and password expiration date.

Enhancements

The script can be further enhanced in several ways:

  • Email Notifications: Send email notifications to users whose passwords are soon to expire.
  • Logging: Log the results to a file or a database for historical tracking and auditing purposes.
  • Customizable Alert Period: Allow the alert period to be passed as a parameter to the script for greater flexibility.
  • Error Handling: Add more robust error handling to manage potential issues during execution.

Possible Errors & Solutions

Permission Issues:

Error: "Insufficient privileges to complete the operation."

Solution: Ensure the account running the script has the necessary permissions to read user properties in Microsoft 365. The User.Read.All scope is required.

Module Not Found:

Error: "The term 'Install-Module' is not recognized."

Solution: Ensure that PowerShellGet is installed and updated. Run Install-Module -Name PowerShellGet -Force -AllowClobber.

Connection Issues:

Error: "Could not connect to Microsoft Graph."

Solution: Verify that the network connection is stable and that the credentials provided have the necessary access.

Null Password Expiration Dates:

Error: "Property 'PasswordExpirationDate' cannot be found."

Solution: Ensure that the users have password policies applied. Users without password expiration policies might not have this property set.


Conclusion

Using Graph PowerShell to monitor soon-to-expire passwords is an efficient way to ensure users are prompted to update their passwords, enhancing the security of your organization. This script provides a straightforward solution, and with further enhancements, it can be integrated into broader administrative processes. By addressing potential errors and providing solutions, administrators can effectively manage and monitor password expirations in Microsoft 365.


Related Articles:

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell
Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex