Export Office 365 Users’ Last Password Change Date to CSV

Office 365 users’ last password change date can be retrieved from the LastPasswordChangeTimeStamp attribute. Using PowerShell, we can quickly get this attribute from Get-MsolUser cmdlet.

You can use below PowerShell code to export password last change date to CSV.

Since Azure AD and MSol PowerShell modules are under deprecation, admins need to switch to the Microsoft Graph PowerShell cmdlets like Get-MgUser or Get-MgBetaUser to get last password change date.

But, getting a password expiry date is a bit difficult. Since each domain (a tenant can have multiple domains) can have a different password policy, getting Office 365 users’ password expiry date is tricky. You need to calculate the user’s Password expiry date by comparing user’s domain-password-policy.

To ease your work, we have developed a PowerShell script that will solve all your password related queries. Yes! All-in-One PowerShell script. A single script can generate seven different password reports to manage M365 user’s Password.

Script Highlights:

• A single script allows you to generate 7 different password reports.
• The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
• It can be executed with certificate-based authentication (CBA) too.
• The script can be executed with MFA enabled accounts too
• Exports output to CSV
• You can filter result to display Licensed users alone
• The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.

Download Script: PasswordExpiryReport.ps1

Sample Output:

The output of the password expiry report contains the most essential attributes like Display Name, User Principal Name, Password last Change Date, Password Since Last Set (Password Age), Password Expiry Date, Friendly Expiry Time, License Status and Days Since Expiry/Days to Expiry.

To list all Office 365 users and their date of last password change date, download the above script and execute as follows.

As said earlier, you can use this PowerShell script for multiple use-cases. I.e., you can generate multiple password reports using this script. We have listed a few significant reports.

• Get Office 365 users Password expiration date report
• Export Office 365 password expired users report
• List Office 365 users whose Password set to never expires
• Check all licensed users’ password last change time and expiry date
• Get Password expiry report for enabled users
• Soon to expire password users report
• Recent password changers report

Retrieving password expiry date helps you to send a quick reminder to the password about to expire users. So, you can prevent users from account locking.

To retrieve all azure ad users with their password expiry date, run the script as follows.

The exported report lists all Office 365 users’ password expiration date and password last change date.

Soon to expire password users report allows you to generate a report based on a number of days available for password expiry, I.e., passwords going to expire. With the help of a soon-to-expire password report, you can remind users to change their password by sending password expiry notification.

Run the script with –SoonToExpire param with X number of days.

The above script exports all users whose password will expire in 7 days.

Note: Soon to expire password report doesn’t include password expired users.

To list users whose password has expired, run the script with –PwdExpired switch param. By using this report, you can notify users about password expiry.

The above script exports all password expired users available in the Office 365 tenant.

Using –PwdNeverExpires switch, you can retrieve users whose password set to never expire.

Note: Microsoft recommends to set “Password Never Expires” to prevent unneeded password change. Because when users forced to change their password, often they choose a small, predictable alteration to their existing password or reusing their old passwords.

Most organizations won’t delete terminated user accounts; instead, they will unlicense them. When running a password expiry report, getting old/terminated user accounts is unnecessary. In that case, you can ignore unlicensed users.

By using –LicensedUserOnly switch, you can export licensed users’ password related attributes like password last change date, password age, password expiry date, days to password expiry, etc.

You can also refer our dedicated blog on Office 365 users’ detailed license report.

To view password last change date for sign-in enabled users alone, run the script with -EnabledUsersOnly param.

The above format processes all the users and ignores the sign-in disabled users.

To get a list of recent password changers report, run the script with –RecentPwdChanges param. You can pass the number of days in –RecentPwdChanges param.

The above script will export a list of users who changed their password in the past 7 days.

To get a more granular password report, you can use multiple filters together. For example,

The above script will export all licensed users whose password was expired.

To automate the script execution, you can use certificates for authentication. Depending on your requirements, you can choose to use a certificate authority (CA) or create a self-signed certificate, which is more cost-effective.

The script can be executed with Certificate-based Authentication(CBA) by specifying the TenantId, ClientId, and CertificateThumbprint parameters in the following format:

This format can also be used to schedule the PowerShell script as a scheduled task in the Windows Task Scheduler.

However, it’s important to note that before using certificate-based authentication, you must register an app in Azure AD. To register an Azure app and obtain certificates, you can refer to the connect MS Graph with certificate blog, which provides detailed instructions for manual or automated setup depending on your needs.

With AdminDroid’s Microsoft 365 password reports, admins can obtain complete statistics on passwords which include never expired accounts, admins with expired passwords, password soon-to-expires, password never changed accounts, password changes and more.

AdminDroid Free Microsoft 365 reporting tool offers 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting.

Additionally, AdminDroid provides 1600+ pre-built reports and 30+ smart visually appealing dashboards to know about your Microsoft 365 services like Azure AD, Exchange Online, SharePoint Online, MS Teams, OneDrive, OneNote and more at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc. Download AdminDroid Office 365 reporting tool and gain complete control over your M365 organization.

I hope this blog is useful to generate M365 users’ last password change date report. Plus, you can also export self-service password reset status reports using PowerShell. If you want to add more password-related attributes, let us know through the comment section.