The online world is constantly evolving, and with it, the threats to your organization’s data. Securing your Microsoft 365 environment requires a multi-layered approach, but strong passwords remain the first line of defense🛡. For IT admins, managing these passwords effectively walks a tightrope between robust security and user convenience. Amid these challenges, it’s crucial to address the fundamental question:
Do Passwords for Office 365 Expire?
A common question among Office 365 users is, “Do passwords expire🤔?” The short answer is yes, and it depends on your organization’s settings. By default, passwords are set to never expire, which Microsoft recommends. This approach aims to reduce the burden on users and prevent the risks associated with frequent password changes, such as choosing weaker or reused passwords.
Whether to set passwords to not expire or to set an expiry date for passwords has long been debated. Despite Microsoft’s recommendation, many organizations still opt to set password expiration policies.
- This decision is often driven by regulatory requirements, internal security policies, or a traditional belief that regular password changes enhance security.
If your organization decides to set expiration dates, it is crucial to establish a system for tracking & reminding users about their upcoming password expirations. Automating this process can save time and reduce the risk of forgotten password changes.
In this blog, we will explore how to send email notifications to users before the password expires using Power Automate. While PowerShell is also available for this task, Power Automate is preferred for more customizations.
For more workflows on Microsoft 365 user onboarding & offboarding, refer our AdminDroid GitHub
How to Set Password Expiration Policy in Microsoft 365?
Microsoft has pre-configured essential Azure AD password policies for secure implementation. However, admins can customize these settings to further strengthen organizational security. You can set expiration dates with these simple steps:
- Go to the M365 admin center.
- Navigate to Settings -> Org settings.
- Under the ‘Security & privacy’ tab, locate ‘Password expiration policy’.
- Uncheck ‘Set passwords to never expire’ and enter your desired value in the box.
- You need to enter values between 14 and 730.
- Then Save.
Once the password expiration policy is set, it’s the admin’s responsibility to ensure users are notified about upcoming expirations. This can be efficiently managed by creating a flow for password change reminders using Power Automate. For a user-friendly view of expiration details, use the Powershell script to track password expirations.
Send Password Change Reminders Using Power Automate
Here’s a step-by-step guide to create a Power Automate flow that sends password change notifications to users:
Automated Password Change Notifications Workflow – An Overview
Here’s how the flow works:
- Retrieves users’ password status from Microsoft Graph API.
- Checks for passwords that have not been changed for the given time period.
- Sends an email to users reminding them to update their passwords.
You have two methods to integrate the flow into your environment. Choose the one that best suits your requirements.
1. Deploying Password Change Notification Flow Directly from a ZIP File
2. Creating Password Change Notification Flow – A Step-by-Step Guide
Option 1: Deploying Password Change Reminder Flow Directly from a ZIP File
If you prefer not to build the flow from scratch, we’ve simplified the process for you. Just import our pre-built package into your Power Automate environment and effortlessly run the workflow. Follow these steps to get started:
1. Importing the Flow:
Download the PasswordChangeReminderEmail.zip
- In Power Automate, go to My Flows and click Import.
- Upload the ZIP file, modify the flow name as needed, and select Select during import.
- Authorize connections using your Office 365 account.
2. Modifying the Flow:
After importing successfully, make these necessary modifications:
Specify the desired time period to identify outdated passwords.
- In the first field, choose the condition.
- In the second field, input the function with the desired number of days. Example, (-60).
3. Enabling the Flow:
- Once modifications are complete, ensure the flow is turned on to initiate automated processes.
Option 2: Creating Password Change Reminders – A Step-by-Step Guide
If you prefer to create the flow manually, you can follow the below procedures. The flow includes,
- Create an instant cloud flow
- Add HTTP action
- Parse JSON response
- Add condition to check password change
- Send password change notification email
- Save the flow
Step 1: Create an Instant Cloud Flow
- Open Power Automate and click on ‘Create’ from the left navigation.
- Under ‘Start from blank’, choose Instant cloud flow.
- Add a name to your flow and under ‘Choose how to trigger this flow’, select Manually trigger a flow -> Create.
The next step is to add an HTTP action to fetch user data from Microsoft Graph API.
Step 2: Add HTTP Action
- To add the next action for your flow, click on the + button below the trigger action.
- Select Add an action. Search and select ‘Send an HTTP request’ under ‘Office 365 Users’.
The HTTP action allows you to make a request to an external API, in this case, Microsoft Graph, to fetch user data.
Enter the following within the fields:
- URL:
1 |
https://graph.microsoft.com/v1.0/users?$select=userPrincipalName,lastPasswordChangeDateTime |
- Method: GET
Step 3: Parse JSON Response
Parsing JSON allows you to easily handle the data returned from the HTTP request. For that,
- Add an action and search for ‘Parse JSON’.
- In the ‘Content’ field, click on the dynamic content icon. It allows you to insert dynamic content from previous steps in your flow.
- Select ‘Body’ under ‘HTTP’.
- In the ‘Schema’ field, copy and paste the code below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
{ "type": "object", "properties": { "value": { "type": "array", "items": { "type": "object", "properties": { "userPrincipalName": { "type": "string" }, "lastPasswordChangeDateTime": { "type": "string" } }, "required": [ "userPrincipalName", "lastPasswordChangeDateTime" ] } } } } |
The schema defines the structure of the JSON data you expect to receive. It acts as a blueprint that tells the automation tool how to parse and understand the JSON data. This schema ensures that the value property is an array of objects, where each object must contain a userPrincipalName and lastPasswordChangeDateTime, both as strings. This is used to process lists of users and their associated metadata, such as password change dates, within the workflow.
Step 4: Add Condition to Check Password Change
Now that we’ve processed the data, our next step is to verify the password change dates for each user. Proceed with the following steps for evaluation.
- The next action should be ‘Condition’. This checks when the password was last changed. Search for Condition and select it.
- In the ‘Choose a value’ field, click on the dynamic content icon and select Body LastPasswordChangeDateandTime.
- In the second field, select “is less or equal to”.
- In the third field, enter this value “addDays(utcNow(), -60)”.
By default, this condition checks for users with a password age of 60 days or more and sends them reminder emails. You can adjust the value to notify users with older passwords based on your specific requirements.
Step 5: Send Password Change Notification Email:
Next, we’ll configure it to send reminders to users informing them that their password is due for an update.
- Click on the + inside the True condition -> Add an action.
- Search for Send an email(V2) under Office 365 Outlook.
- In the ‘To’ field, select ‘Advanced mode’, click on the dynamic content icon & select Body userPrincipalName.
- In the ‘Subject’ field, enter your subject – something like,
“Reminder: Your Password Needs to Be Changed”.
- In the ‘Body‘ field, enter the message – something like,
“This is a reminder that your password is older and needs to be changed. Please update your password to ensure uninterrupted access to your account. Don’t wait until the last minute! Click here to change your password now”.
- In the ‘Change connection’, you can add the email address from which the emails should be sent to users.
Step 6: Save the Flow
Save your flow. Now your flow is ready to go and should look like the screenshot below.
Flow Elements Breakdown:
- Recurrence: Triggers the flow.
- HTTP: Performs an HTTP request to get data from Microsoft Graph API.
- Parse JSON: Parses the JSON response from the HTTP request to make the data usable in subsequent steps.
- For each: Nested action that iterates over items within each iteration of the outer loop (likely a nested array).
- Condition: Checks a condition within each iteration.
- True: If the condition is met, sends an email using the “Send an email (V2)” action.
- False: If the condition is not met, no action is specified in the False branch.
Testing the Password Change Notification Flow:
- After saving it, click ‘Test’ on the toolbar.
- In the Test Flow flyout page that appears, select ‘Manually’.
- Click on Test -> Run flow -> Done.
When the admin manually triggers the flow, an email will be sent only to those users whose passwords have not been changed within the specified period.
We hope that this blog has given you detailed instructions to send password change notification emails in Microsoft 365. Similarly, ensuring users are aware of impending password expirations is crucial for maintaining security. By setting up timely password expiration notifications with 7-day follow-up emails, you can reduce the risk of account lockouts and potential security breaches.
Further, those who have passwords set to never expire, consider strengthening your account security with options like passwordless authentication, Microsoft 365 passkeys, Microsoft Defender alerts, etc based on your requirements. Thanks for reading. For further queries, reach out to us in the comments section.