Something I come across quite often while helping customers implement cloud-based BI environments, is the configuration of service accounts for things like ETL processes, Power BI data refreshes, etc.
In O365 (or Azure AD) the default behavior to set password expiration policies is at an organizational level. I’m pretty far from being an Active Directory expert and I am sure there may be ways to create custom policies in Azure AD to change the default behavior, but my consulting work usually requires a quick and easy way to change the password expiration policy for the service accounts I am dealing with only, and without getting in over my head in the Active Directory jungle.
Luckily (for me), the Azure AD cmdlets in PowerShell gives us an easy way to get it done, and here’s how you do it…
Prerequisites
If you’re attempting to run PowerShell scripts for the first time, there are some things you need to do before you get started:
- Always run Windows PowerShell as Administrator, otherwise you will not be able to run certain commands.
- Set the execution policy for the current user, session or machine. As part of the default security policy on your machine, you will not be able to run PowerShell commands without the necessary permissions. I like to set the policy for the local machine, so that I don’t have to do it again.
#this will show you all the existing execution policies
Get-ExecutionPolicy -List
#if you want to set it for the machine
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine
#if you want to set it for the current process
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
#if you want to set it for current user only
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser - Install and import the necessary PowerShell modules. Every Windows machine will have some base modules installed, but not the ones we need for Azure.
#install the module in order to use the cmdlets
Install-Module -Name AzureAD -AllowClobber
#import the module into the current session
Import-Module AzureADThe AllowClobber parameter will force any preexisting modules or cmdlets with the same names to be replaced by the latest versions, and the name of the module we’re installing is AzureAD. Ok, now we’re ready to roll…
Connect to the Azure AD tenant
#Connect to azure ad tenant
Connect-AzureADRunning this command will pop up an authentication dialogue, and you should use an account with the necessary permissions in Azure AD.
Get and change the password expiration policy
#Get the user's password expiration policy info
Get-AzureADUser -ObjectId "<guid of service acccount>" | Select-Object UserprincipalName, @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}
#Set the user's password to not expire
Set-AzureADUser -ObjectId "<guid of service acccount>" -PasswordPolicies DisablePasswordExpirationYou will need the GUID of the service account here, and the first command will return the details of the password expiration policy. We’re using an expression to only return the policy that we want, and not the entire list of user policies.
The second command changes the expiration policy of the account we’re providing, and we’re now able to use this account for what it is intended for.
Want to download the entire script? Get it from my GitHub repo.