How to Set an Individual User's Password to Never Expire in Azure Active Directory

In Azure Active Directory (AAD), user passwords are governed by organizational security policies. While password expiration policies are designed to enhance security, there are cases where you might need to exempt specific users from this policy—such as service accounts, kiosk users, or executives. This article explains how to set an individual user's password to never expire in Azure AD using the Azure portal and PowerShell.

Prerequisites

• Administrative privileges in Azure AD.
• Access to the Azure Portal or the Microsoft Entra Admin Center.
• PowerShell with the AzureAD or Microsoft Graph PowerShell module installed.

Method 1: Using Azure Portal

Steps:

1. Sign in to the Azure Portal.
2. Navigate to Azure Active Directory.
3. Under Manage, select Users.
4. Search for and select the user account you wish to modify.
5. On the user profile page, locate the Password section.
6. Set the Password never expires toggle to Yes.
7. Save the changes.

Method 2: Using PowerShell

Option 1: Azure AD PowerShell Module

1. Open PowerShell and connect to Azure AD:

   Connect-AzureAD
   

2. Retrieve the user’s Object ID or UPN (User Principal Name):

   Get-AzureADUser -SearchString "username"
   

3. Set the user’s password to never expire:

   Set-AzureADUser -ObjectId <ObjectId> -PasswordPolicies DisablePasswordExpiration
   

Option 2: Microsoft Graph PowerShell Module

1. Install and connect to Microsoft Graph:

   Install-Module Microsoft.Graph -Scope CurrentUser
   Connect-MgGraph
   

2. Retrieve the user details:

   Get-MgUser -Filter "userPrincipalName eq 'username@domain.com'"
   

3. Update the user’s password policy:

   Update-MgUser -UserId <UserId> -PasswordPolicies "DisablePasswordExpiration"
   

Verifying the Changes

To confirm that the password expiration setting has been applied:

1. In the Azure Portal, revisit the user profile and check the Password never expires status.

2. Using PowerShell:

   Get-AzureADUser -ObjectId <ObjectId> | Select-Object PasswordPolicies
   

Best Practices

• Use password exemption sparingly and only for critical accounts:

  • Service Accounts: Accounts used by applications or automated systems often require uninterrupted access.
  • Kiosk Accounts: Accounts used on dedicated devices for specific tasks may not require frequent password changes.
  • Executive Accounts: In some rare cases, executives might require this exemption for exceptional circumstances, but it should be carefully evaluated and justified.

• Combine non-expiring passwords with multi-factor authentication (MFA) for enhanced security:

  • Even if a password never expires, implementing MFA adds a crucial layer of security.
  • MFA methods like:
    • Biometrics: Fingerprint, facial recognition
    • Mobile App Authenticators: Microsoft Authenticator, Google Authenticator
    • Hardware Tokens: YubiKey, FIDO U2F keys

• Regularly audit user accounts with the DisablePasswordExpiration policy:

  • Conduct periodic reviews to ensure that:
    • The exemption is still necessary.
    • The account is actively used and monitored.
    • There are no signs of compromise.

• Implement strong password policies for all other users:

  • Enforce strong password complexity requirements (length, character types).
  • Mandate regular password changes for all other users.
  • Consider using a password manager to help users create and manage strong, unique passwords.

• Document the rationale for each password exemption:

  • Maintain clear records of why specific accounts are exempt from password expiration policies.
  • This documentation can be helpful for audits, security reviews, and future troubleshooting.

Important Note: Disabling password expiration should be a carefully considered decision. It introduces a security risk by removing a critical security control. Always prioritize security best practices and implement compensating controls to mitigate the risks associated with this exemption.