Send Password Expiry Notification in Microsoft 365

We’ve all been there dealing with user account lockouts because they forgot to update their passwords before expiration😓. Many organizations enforce password expiration policies to tighten security, but getting users to update them on time can be challenging. So, how do you avoid the hassle of unexpected lockouts? Simple – send automated password expiry notifications to remind users before their password expires!

In this blog, we’ll walk you through how to set up email notifications for upcoming password expiry in Microsoft 365.

Reminding users to change their password before it expires can be challenging with native solutions as there is no direct way to get users’ password expiration date.

Therefore, we have developed a PowerShell script that automatically sends reminders to users, keeping them informed of their password expiration dates, and prompting them to update on time.

No more scrambling to remember that exact date and update the password—let’s dive into how to set up email notifications for password expiration using the PowerShell script.

• Sends password expiry notifications to users about upcoming password expiry.
• Filters results to display licensed users alone.
• Export a list of users who fall under the given criteria
• Automatically installs the Microsoft Graph PowerShell module (if not installed already) upon your confirmation.
• The script can be executed with MFA and non-MFA accounts.
• It can be executed with certificate-based authentication (CBA) too.
• The script is schedular-friendly – automatically schedule the script in the task scheduler to automate sending password expiry notifications.

Download Script: SendPwdExpiryNotification.ps1

Sample Password Expiry Notification Email

Users with soon-to-expire passwords will receive an email similar to the above screenshot, prompting them to update user’s password using Microsoft Security Info.

Password Expiration Date of All Users:

This script also exports all users whose passwords are set to expire within the specified number of days at the time of script execution, along with details such as name, email, password expiry date, days until expiration, and license status.

Follow the below steps to schedule the password expiry notification in Microsoft 365 using the PowerShell script.

1. Download the script
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account

This script notifies users whose passwords are going to expire within the next 10 days. It also generates a CSV file with the details of those users.

Note: The notification is sent only when the script runs, so you need to execute it manually each time to notify users about their upcoming password expirations. To automate email notifications, you can refer to the blog in the later section.

Method 2: Execute the script using certificate-based authentication

To use certificate-based authentication, you must register an app in Entra ID which helps you connect Microsoft Graph PowerShell. Depending on your needs, you can choose to use a certificate authority (CA) or create a self-signed certificate.

This format sends reminders from the mailbox “Amy” to users whose password will expire in 10 days. This method too requires you to execute the script each time you want to remind users to change their password within the days you set in the -DaysToExpiry parameter.

Points to remember:

• Ensure the registered app has the following permissions—Mail.Send, User.Read.All, and Domain.Read.All to achieve the expected output.
• When running the script using certificate-based authentication, the -FromAddress parameter is mandatory to specify the mailbox from which the reminders will be sent.

Although the above methods help you notify password expiry, manually running the script each time can be challenging amidst all your other tasks.
To make this simple, you can run the script with -Schedule param, which schedules the script in the Task Scheduler automatically.

Note: The script can only be automated with certificate-based authentication. Specify the TenantId, ClientId, and CertificateThumbprint to connect to MS Graph using certificate.

Run the script as follows to schedule the email reminders for users with password expiration in the specified days.

This format creates a scheduled task ‘Password Expiry Notification’ in Task Scheduler, which runs daily at 10 AM to send password expiry notifications until users update their password or it expires.

If you prefer to send the email at a different time, you can update the time by changing the script execution time in the Task Scheduler.
Open Task Scheduler, select the relevant task, navigate to the Action tab, and modify the time according to your preference.

With customizable filters, this script handles diverse cases effectively. Here’s how it works for you:

• Send password expiration notifications from a specific email address
• Send Password expiry email notifications for only licensed users

While running the script interactively, emails are sent from the mailbox which is used to connect the Microsoft Graph module. Now, imagine a user in the security department is tasked with running this script daily, but the emails need to be sent from the admin’s account. Sharing the admin’s credentials with the user to connect to the graph module while script execution is not a secure practice.

To address this, you can run the script with the -FromAddress parameter in the script. This allows the script to send emails from the specified email address.

This sends the reminders from the mailbox ‘Jack’, regardless of who runs the script, to users whose passwords will expire in the next 10 days.

Note: The account used to connect the Microsoft Graph module while executing the script must have ‘Send on behalf/Send as‘ and ‘Full access’ delegated permissions for the admin mailbox.

Generally, as part of offboarding best practices, former employees’ licenses are removed. Therefore, focusing on licensed users is crucial since they actively use Microsoft 365 services and access company resources.

This will send a one-time notification email to all licensed users in Microsoft 365 whose passwords are going to expire in 10 days during script execution time.

• You can check when the Microsoft 365 users have changed their passwords by reviewing the recently changed passwords report.
• Strengthen the Microsoft 365 password policy and ban custom passwords to prevent users from choosing easily guessable passwords.
• Activate two-step verification for all users by configuring Multi-Factor Authentication (MFA) to enhance security.
• Enable Self-Service Password Reset (SSPR) for users so they can securely reset their passwords using the ‘Forgot my password’ option during login.

Struggling to manage user passwords in Microsoft 365? No worries! AdminDroid’s Microsoft 365 reporting tool makes it simple for you. With this, you can gain complete visibility into all details related to passwords, empowering you to enhance account security, prevent lockouts, and maintain better control over user credentials.

We hope this blog has provided you with valuable insights on setting up email notifications for the password expiration of Microsoft 365 users. Feel free to ask any questions or share your comments about the script in the comments section.