Summary: Use Windows PowerShell to force Office 365 online users to change their passwords.
Hey, Scripting Guy! I used your technique from yesterday to create a bunch of Office 365 users online, and now I want to force them to change their passwords. If I could also make them use a complex password, that would be great. Can you help me out Oh, Scripting One?
—SW
Hello SW,
Microsoft Scripting Guy, Ed Wilson, is here. Things are becoming interesting around the Scripting House this week. This is because yours truly, the Scripting Guy, has a birthday coming up in a few weeks. It is always fun trying to figure out what the Scripting Wife is going to do for my birthday. One time, she lured me into the Smokey Mountains and invited a bunch of my friends from Cincinnati for a surprise birthday party. She really pulled it off, and I had no idea until my friends began to show up at the cabin. Now, I certainly am not expecting a surprise birthday party in the Smokey Mountains, but who knows. She gets pretty creative sometimes. So far, I haven’t a clue.
I am sitting on our front porch, sipping a cup of Hawaiian organic tea, and using my Surface 2 Pro to peruse the scripter@microsoft.com email. SW, I ran across your email, and I thought it would be a great follow-up to yesterday’s Hey, Scripting Guy! Blog post.
Note You should read yesterday's post, Use PowerShell to Create Bulk Users for Office 365, before you begin today's post.
Second things first
After I connect to my Office 365 tenant installation by using the Azure Active Directory (Azure AD) module (see yesterday’s post to learn about this technique), I can force my users to use a strong password. To do this, I use the Set-MSOlUser cmdlet. Here is the syntax for that cmdlet:
The StrongPasswordRequired parameter is a Boolean parameter—On/Off, True/False, Yes/No, Wax on/Wax off.
I am going to use the same CSV file that I used yesterday to make my password modifications. One advantage to using a CSV file for user creation is it can also be used for user management. To force all the users to use a strong password, I use the following commands:
$users = Import-Csv C:\fso\Office365Users.CSV
$users |
foreach { Set-MsolUser -UserPrincipalName $_.userprincipalname -StrongPasswordRequired:$true}
The first command reads my CSV file into a variable named $users. The second command pipes the objects in the $users cmdlet to the Foreach-Object cmdlet, and then inside script block, I use the Set-MSOlUser cmdlet to force each user to use a strong password.
Now I need to verify that the command worked. To do this, I use the following command:
$users |
foreach {Get-MsolUser -UserPrincipalName $_.userprincipalname | select displayname, strongpasswordrequired}
Here I use the same $users variable, and I pipe the objects to the Foreach-Object cmdlet. Inside the script block, I call the Get-MSOlUser cmdlet for each of the users. I display the DisplayName and the StrongPasswordRequired properties.
The two commands and their associated output are shown in the following image:
Force a password change
There is a specific user password cmdlet. It is the Set-MSOlUserPassword cmdlet. It provides the ability to set a new password and to force a password change. The syntax is shown here:
The syntax to force a password is very similar to the command I used earlier to force all the users to use a strong password. It is shown here:
$users |
foreach { Set-MsolUserPassword -UserPrincipalName $_.userPrincipalName -ForceChangePassword:$true}
Combine both commands
Instead of running two commands, I can combine the two commands as follows:
$users |
foreach {
Set-MsolUserPassword -UserPrincipalName $_.userPrincipalName -ForceChangePassword:$true;
Set-MsolUser -UserPrincipalName $_.userprincipalname -StrongPasswordRequired:$true}
Note This is a single command that I broke up into multiple lines for easier reading.
In all of this, I have not felt the need to write a single Windows PowerShell script. But I could just as easily copy and paste everything into the following single script:
Get-Credential "admin@ScriptingGuy.OnMicrosoft.Com" |
Export-Clixml C:\fso\ScriptingGuyCredential.xml
$cred = Import-Clixml C:\fso\ScriptingGuyCredential.xml
Connect-MsolService -Credential $cred
$users = Import-Csv C:\fso\Office365Users.CSV
$users |
foreach {
Set-MsolUserPassword -UserPrincipalName $_.userPrincipalName -ForceChangePassword:$true
Set-MsolUser -UserPrincipalName $_.userprincipalname -StrongPasswordRequired:$true}
Here is a better formatted version of the script.
SW, that is all there is to using Windows PowerShell to force your Office 365 users to change their passwords and to make them use complex passwords. Office 365 Week will continue tomorrow when I will talk about more cool stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments