Export Office 365 Users’ Last Password Change Date to CSV

Microsoft 365 users’ last password change date can be retrieved from the LastPasswordChangeTimeStamp attribute. Using PowerShell, we can quickly get this detail from Get-MsolUser and Get-MgUsercmdlet.

You can use below PowerShell code to export password last change date to CSV.

Since Azure AD and MSol PowerShell modules were officially deprecated, admins need to switch to the Microsoft Graph PowerShell cmdlets like Get-MgUser or Get-MgBetaUser to get last password change date.

However, determining a password expiry date can be challenging. Since each domain (and a tenant can have multiple domains) can have a different password policy, identifying M365 users’ password expiry dates is tricky. You need to calculate the user’s password expiry date by comparing it with the domain’s password policy.

To ease your work, we have developed a PowerShell script that will solve all your password-related queries. Yes, an All-in-One PowerShell script! This script helps manage M365 users’ passwords with 7+ different password reports.

• A single script allows you to generate 7+ password reports.
• Exports all users and their last password change and expiry date.
• Helps to find password never expires users.
• Exports password expired users.
• Identifies soon-to-expire password users.
• Helps to track recent password changers.
• Filters result to display all or licensed users alone
• Filters result to display all or sign-in enabled users alone
• The script installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
• It can be executed with certificate-based authentication (CBA) too.
• The script can be executed with MFA enabled accounts too
• Exports output to CSV

Download Script: PasswordExpiryReport.ps1

The output of the password expiry report contains the most essential attributes like

• Display Name
• User Principal Name
• Password last Change Date
• Password Since Last Set (Password Age)
• Password Expiration Date
• Friendly Expiry Time
• Days Since Expiry/Days to Expiry
• License Status
• Sign-in Status
• Last sign-in Date
• Inactive Days

1. Download the script.
2. Start the Windows PowerShell.
3. Run the script directly or pass built-in filtering params based on your requirement.

To list all Microsoft 365 users and their date of last password change, download the above script and execute as follows.

The exported report will contain password details of all the users (excluding external users).

As said earlier, you can use this PowerShell script for multiple use-cases. I.e., you can generate multiple password reports using this script. We have listed a few significant reports.

1. Get Office 365 users’ password expiration date report
2. View soon-to-expire password users
3. Export password expired users report
4. List M365 users whose Password set to never expires
5. Get Password expiry report for enabled users
6. Check password last change time and expiry date for licensed users
7. Find recently password changed users
8. Export more granular password status reports
9. Schedule password expiry report

Retrieving password expiry date helps you to send a quick reminder to the password about to expire users. So, you can prevent users from account locking.

To retrieve all azure ad users with their password expiry date, run the script as follows.

The exported report lists all Office 365 users’ password expiration date and password last change date.

Tips: Accounts with passwords that have not been changed for a long time may be at higher risk of being compromised. Admins can proactively address these risks by prompting users to update their passwords.

The soon-to-expire password users report allows you to generate a report based on the number of days remaining until password expiry. With this report, you can identify passwords that are about to expire and remind users to change their passwords by sending password expiry notifications.

To view users with soon-to-expire password, run the script using the ‘SoonToExpire‘ param with number of days.

The above format exports a list of users whose passwords are about to expire in 7 days.

Note: Soon to expire password report doesn’t include password expired users.

To list users whose password has expired, run the script with ‘PwdExpired‘ switch param. By using this report, you can notify users about password expiry. Also, you can identify inactive users through their password expiry status.

The above script exports all password expired users available in the Microsoft 365 organization.

Tip: You can enable self-service password reset (SSPR) in M365 to assist users who forget their passwords or when their passwords expire. With SSPR, users can reset their passwords by verifying their identity, reducing the number of helpdesk calls for password resets. You can generate SSPR status report to verify users self service password reset status.

Using ‘PwdNeverExpires‘ switch, you can retrieve users whose password set to never expire.

Note: Microsoft recommends to set password never expires to prevent unneeded password change. Because when users forced to change their password, often they choose a small, predictable alteration to their existing password or reusing their old passwords.

Tip: Admins can also ban custom password usage to prevent users from using guessable passwords.

Most organizations don’t delete terminated user accounts; instead, they disable them as part of Microsoft 365 offboarding best practices. In such cases, ignoring disabled users is a wise choice. To view the password last change date for only sign-in enabled users, run the script with the ‘EnabledUsersOnly‘ param.

The above format exports password details of all the sign-in enabled users and ignores the sign-in disabled users.

While automating the M365 offboarding process, licenses will be removed from users. In some cases, admins may need to focus solely on user accounts, disregarding shared and room mailboxes, which typically don’t have licenses. To address this scenario, we have developed a script with the ‘LicensedUsersOnly’ parameter.

By using –LicensedUserOnly switch, you can export licensed users’ password related attributes like password last change date, password age, password expiration date, days to password expiry, etc.

The exported report will contain all licensed users and their password details.

By keeping track of recent password changes, admins can quickly identify any unusual activity and take appropriate action if needed. To get a list of recent password changers report, run the script with ‘RecentPwdChanges‘ param. You can pass the number of days in –RecentPwdChanges param.

The above script will export a list of users who changed their password in the past 7 days.

To get a more granular password report, you can use multiple filters together. For example,

The above script will export all licensed users whose password was expired.

To automate the script execution, you can use certificates for authentication. Depending on your requirements, you can choose to use a certificate authority (CA) or create a self-signed certificate, which is cost-effective.

The script can be executed with Certificate-based Authentication(CBA) by specifying the TenantId, ClientId, and CertificateThumbPrint parameters in the following format:

This format can also be used to schedule the script as a scheduled task in the Windows Task Scheduler.

However, it’s important to note that before using certificate-based authentication, you must register an app in Azure AD. You can also automate these processes—app registration, creating a certificate, and connecting to MS Graph using the certificate—via PowerShell by downloading the PowerShell script: automate app-only access

With AdminDroid’s Microsoft 365 password reports, admins can obtain complete statistics on passwords which include never expired accounts, admins with expired passwords, password soon-to-expires, password never changed accounts, password changes and more.

AdminDroid Free Microsoft 365 reporting tool offers 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting.

Additionally, AdminDroid provides 1800+ pre-built reports and 30+ smart visually appealing dashboards to know about your Microsoft 365 services like Azure AD, Exchange Online, SharePoint Online, MS Teams, OneDrive, OneNote and more at a glance. This tool provides reports on Microsoft 365 reporting, auditing, analytics, usage statistics, security & compliance, etc. Download AdminDroid Office 365 reporting tool and gain complete control over your M365 organization.

I hope this blog is useful to generate M365 users’ last password change date report. If you want to add more password-related attributes, let us know through the comment section.