SYNOPSIS
Retrieves and processes user password information from Microsoft Graph and get information about the user’s password, such as the last password change date, on-premises sync status, and password policies.SYNTAX
DESCRIPTION
The Get-MgUserPasswordInfo script collects details such as the user’s principal name, last password change date, on-premises sync status, and password policies.EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
EXAMPLE 5
PARAMETERS
-UserPrincipalName
Specifies the user principal name(s) of the user(s) for which to retrieve password information.-OnlyDomainPasswordPolicies
If specified, retrieves password policies for domains only, without retrieving individual user information.-OnlySyncedUsers
If specified, retrieves password information for synchronized users only (OnPremisesSyncEnabled = $true).-FilterByDomain
Specifies a domain name to filter users. Only users from the specified domain will be retrieved (excluding guest users).-IncludeGuestUsers
{{ Fill IncludeGuestUsers Description }}-IncludeExchangeDetails
Include Exchange Online mailbox details in the output, useful to exclude shared mailboxes and others.-ExportToExcel
(Optional) If specified, exports the results to an Excel file in the user’s profile directory.-SimulatedMaxPasswordAgeDays
An optional parameter to simulate password expiration based on a specified maximum password age in days. If provided, the function will calculate a simulated password expiration date and indicate whether the password would be expired based on this simulated age.-OnlyUsersWithForceChangePasswordNextSignIn
If specified, retrieves password information for users who have ForceChangePasswordNextSignIn set to true only.CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.INPUTS
OUTPUTS
NOTES
Ensure you have the necessary permissions and modules installed to run this script, such as the Microsoft Graph PowerShell module. The script assumes that the necessary authentication to Microsoft Graph has already been handled with the Connect-MgGraph function. Connect-MgGraph -Scopes ‘User.Read.All’, ‘Domain.Read.All’, ‘OnPremDirectorySynchronization.Read.All’ Password policies for cloud-only users: IFPasswordPolicies is ‘DisablePasswordExpiration’:
THEN password never expires
ELSEIF PasswordPolicies is ‘None’ or null:
THEN password never expires
ELSE:
password expires based on the domain’s PasswordValidityPeriodInDays
ELSE:
IF domain’s PasswordValidityPeriodInDays is 2147483647 or $null
THEN password never expires
ELSE
password expires based on the domain’s PasswordValidityPeriodInDays
Password policies for synchronized users:
IF CloudPasswordPolicyForPasswordSyncedUsersEnabled is enabled:
IF PasswordPolicies is ‘None’ or $null:
THEN password expires based on the domain’s PasswordValidityPeriodInDays (same as cloud-only users above)
ELSEIF PasswordPolicies is ‘DisablePasswordExpiration’:
THEN password never expires
ELSE:
THEN password expires based on the domain’s PasswordValidityPeriodInDays (same as cloud-only users above)
ELSE (CloudPasswordPolicyForPasswordSyncedUsersEnabled is disabled):
THEN password never expires
Side note : When we manually want to set Password Policies to follow domain policies, we need to set PasswordPolicies ‘None’ via Microsoft Graph API because $null is not accepted.