Updated 5 months ago

Export Office 365 Users’ Last Password Change Date to CSV

by Kathy Cooper

6 min read

No Comments

Microsoft 365 users’ last password change date can be retrieved from the LastPasswordChangeTimeStamp attribute. Using PowerShell, we can quickly get this detail from Get-MsolUser and Get-MgUsercmdlet.

You can use below PowerShell code to export password last change date to CSV.

Since Azure AD and MSol PowerShell modules were officially deprecated, admins need to switch to the Microsoft Graph PowerShell cmdlets like Get-MgUser or Get-MgBetaUser to get last password change date.

However, determining a password expiry date can be challenging. Since each domain (and a tenant can have multiple domains) can have a different password policy, identifying M365 users’ password expiry dates is tricky. You need to calculate the user’s password expiry date by comparing it with the domain’s password policy.

To ease your work, we have developed a PowerShell script that will solve all your password-related queries. Yes, an All-in-One PowerShell script! This script helps manage M365 users’ passwords with 7+ different password reports.

Script Highlights:

  • A single script allows you to generate 7+ password reports.
  • Exports all users and their last password change and expiry date.
  • Helps to find password never expires users.
  • Exports password expired users.
  • Identifies soon-to-expire password users.
  • Helps to track recent password changers.
  • Filters result to display all or licensed users alone
  • Filters result to display all or sign-in enabled users alone
  • The script installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
  • It can be executed with certificate-based authentication (CBA) too.
  • The script can be executed with MFA enabled accounts too
  • Exports output to CSV

Download Script: PasswordExpiryReport.ps1

M365 Password Expiry Date Report- Sample Output

The output of the password expiry report contains the most essential attributes like

  • Display Name
  • User Principal Name
  • Password last Change Date
  • Password Since Last Set (Password Age)
  • Password Expiration Date
  • Friendly Expiry Time
  • Days Since Expiry/Days to Expiry
  • License Status
  • Sign-in Status
  • Last sign-in Date
  • Inactive Days

M365 users password expiry report

Export Password Last Change Date Report – Script Execution Steps

  1. Download the script.
  2. Start the Windows PowerShell.
  3. Run the script directly or pass built-in filtering params based on your requirement.

To list all Microsoft 365 users and their date of last password change, download the above script and execute as follows.

The exported report will contain password details of all the users (excluding external users).

Unlock Full Potential of “M365 Password Expiry Report” PowerShell Script

As said earlier, you can use this PowerShell script for multiple use-cases. I.e., you can generate multiple password reports using this script. We have listed a few significant reports.

  1. Get Office 365 users’ password expiration date report
  2. View soon-to-expire password users
  3. Export password expired users report
  4. List M365 users whose Password set to never expires
  5. Get Password expiry report for enabled users
  6. Check password last change time and expiry date for licensed users
  7. Find recently password changed users
  8. Export more granular password status reports
  9. Schedule password expiry report

1. Export Microsoft 365 Users’ Password Expiration Date

Retrieving password expiry date helps you to send a quick reminder to the password about to expire users. So, you can prevent users from account locking.

To retrieve all azure ad users with their password expiry date, run the script as follows.

The exported report lists all Office 365 users’ password expiration date and password last change date.

Tips: Accounts with passwords that have not been changed for a long time may be at higher risk of being compromised. Admins can proactively address these risks by prompting users to update their passwords.

2. Find Soon-to-Expire Password Users in Microsoft 365

The soon-to-expire password users report allows you to generate a report based on the number of days remaining until password expiry. With this report, you can identify passwords that are about to expire and remind users to change their passwords by sending password expiry notifications.

To view users with soon-to-expire password, run the script using the ‘SoonToExpire param with number of days.

The above format exports a list of users whose passwords are about to expire in 7 days.

Note: Soon to expire password report doesn’t include password expired users.

3. View Password Expired Users using PowerShell

To list users whose password has expired, run the script with ‘PwdExpired switch param. By using this report, you can notify users about password expiry. Also, you can identify inactive users through their password expiry status.

The above script exports all password expired users available in the Microsoft 365 organization.

Tip: You can enable self-service password reset (SSPR) in M365 to assist users who forget their passwords or when their passwords expire. With SSPR, users can reset their passwords by verifying their identity, reducing the number of helpdesk calls for password resets. You can generate SSPR status report to verify users self service password reset status.

4. Get a List of Users with Password Never Expires

Using ‘PwdNeverExpires switch, you can retrieve users whose password set to never expire.

Note: Microsoft recommends to set password never expires to prevent unneeded password change. Because when users forced to change their password, often they choose a small, predictable alteration to their existing password or reusing their old passwords.

Tip: Admins can also ban custom password usage to prevent users from using guessable passwords.

5. Get Password Expiry Report for Sign-in Enabled Users

Most organizations don’t delete terminated user accounts; instead, they disable them as part of Microsoft 365 offboarding best practices. In such cases, ignoring disabled users is a wise choice. To view the password last change date for only sign-in enabled users, run the script with the ‘EnabledUsersOnly‘ param.

The above format exports password details of all the sign-in enabled users and ignores the sign-in disabled users.

6. Get Microsoft 365 Password Last Change Date and Expiry Date for Licensed Users

While automating the M365 offboarding process, licenses will be removed from users. In some cases, admins may need to focus solely on user accounts, disregarding shared and room mailboxes, which typically don’t have licenses. To address this scenario, we have developed a script with the ‘LicensedUsersOnly’ parameter.

By using –LicensedUserOnly switch, you can export licensed users’ password related attributes like password last change date, password age, password expiration date, days to password expiry, etc.

The exported report will contain all licensed users and their password details.

7. Export Recently Password Changed Users Report

By keeping track of recent password changes, admins can quickly identify any unusual activity and take appropriate action if needed. To get a list of recent password changers report, run the script with ‘RecentPwdChanges param. You can pass the number of days in –RecentPwdChanges param.

The above script will export a list of users who changed their password in the past 7 days.

8. Export More Granular Password Status Report

To get a more granular password report, you can use multiple filters together. For example,

The above script will export all licensed users whose password was expired.

9. Execute the Script with Certificate (Scheduler-friendly)

To automate the script execution, you can use certificates for authentication. Depending on your requirements, you can choose to use a certificate authority (CA) or create a self-signed certificate, which is cost-effective.

The script can be executed with Certificate-based Authentication(CBA) by specifying the TenantId, ClientId, and CertificateThumbPrint parameters in the following format:

This format can also be used to schedule the script as a scheduled task in the Windows Task Scheduler.

However, it’s important to note that before using certificate-based authentication, you must register an app in Azure AD. You can also automate these processes—app registration, creating a certificate, and connecting to MS Graph using the certificate—via PowerShell by downloading the PowerShell script: automate app-only access

Secure Your Organization with AdminDroid’s Password Reports:

With AdminDroid’s Microsoft 365 password reports, admins can obtain complete statistics on passwords which include never expired accounts, admins with expired passwords, password soon-to-expires, password never changed accounts, password changes and more.

Microsoft 365 password report by AdminDroid

Why AdminDroid is top choice for Microsoft 365 password reporting?
  • Schedules and sends password reports to email
  • Exports data in various formats, such as CSV, HTML, PDF, etc.
  • Filters data to generate fine-grained password reports, such as licensed users, admin roles, sign-in status, etc.
  • Visualizes report data to charts/AI generated graphs
  • Manages multiple tenants
  • User friendly UI
  • Triggers alerts for critical password activities like admin password resets
  • Users, licenses, password changes and other 120+ Azure AD reports available in Free Edition itself.

AdminDroid Free Microsoft 365 reporting tool offers 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting.

AdminDroid Office 365 password dashboard

Additionally, AdminDroid provides 1800+ pre-built reports and 30+ smart visually appealing dashboards to know about your Microsoft 365 services like Azure AD, Exchange Online, SharePoint Online, MS Teams, OneDrive, OneNote and more at a glance. This tool provides reports on Microsoft 365 reporting, auditing, analytics, usage statistics, security & compliance, etc. Download AdminDroid Office 365 reporting tool and gain complete control over your M365 organization.

I hope this blog is useful to generate M365 users’ last password change date report. If you want to add more password-related attributes, let us know through the comment section.

Share article