Get the Last Password Change Date Using PowerShell in Microsoft 365

One of the key components of security is managing passwords. Password management is a critical aspect of maintaining security in the digital realm. In this comprehensive guide, we will discuss various methods for checking the last password change date in Microsoft 365.

There are three methods for checking the last password change date in Microsoft 365:

Using the Entra admin center
Using Microsoft Graph PowerShell SDK
Using Microsoft Graph API

Using the Entra admin center

1. Visit the Entra admin center then login using an administrative account.

2. Navigate to Users | All users | Manage view | Edit columns.

3. Select the option Last password change date time from the list.

Now the last password change date time is shown.

Using the Microsoft Graph PowerShell SDK

The second way is using Microsoft Graph PowerShell SDK. This method requires you to install some PowerShell modules on your machine. But, if you’re familiar with the other Microsoft modules such as MSOL, ExchangeOnlineManagement, AzureAD…this is a good option.

1. Install the required Microsoft Graph PowerShell SDK module by opening PowerShell as administrator then run the following command:

Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser

2. Getting the user’s information requires a certain level of permissions to be granted to the Microsoft Graph Command Line Tools application. So, in this case, we need to connect to Graph PowerShell with the following scopes:

Connect-MgGraph -Scopes "User.Read.All"

To get the last password change date for a particular user, use this Microsoft Graph PowerShell script:

# Get the user information 
$properties = @('DisplayName','UserPrincipalName','AccountEnabled','lastPasswordChangeDateTime')
$userId = '[email protected]'
$result = Get-MgUser -UserId $userId -Property $properties

# Get the user's last password change date and time
$result | Select-Object $properties

Similarly, to get the last password change date timestamp of all users, use the following PowerShell script:

$properties = @('DisplayName','UserPrincipalName','AccountEnabled','lastPasswordChangeDateTime')
Get-MgUser -All -Property $properties | Select-Object $properties

This information can be very helpful for administrators who need to monitor user accounts and ensure their passwords are secure. To export the last password change date for all users to a CSV file, here is the PowerShell script:

# Set the properties to retrieve
$properties = @(
   "id",
   "displayName",
   "userprincipalname",
   "lastPasswordChangeDateTime",
   "mail",
   "jobtitle",
   "department"
)
 
# Retrieve the password change date timestamp of all users
$result = Get-MgUser -All -Property $Properties | Select-Object $properties
$result | Format-Table
 
# Export to CSV
# $result | Export-Csv -Path "C:\Temp\PasswordChangeTimeStamp.csv" -NoTypeInformation

Using Microsoft Graph REST API

Alternatively, we can use the Microsoft Graph Rest API to export the last time password change of all users in a Microsoft 365 tenant. When using this method:

We don’t need to install any modules of the Microsoft Graph PowerShell SDK (~ 80 modules).
We can do it from any computer with Microsoft PowerShell or PowerShell Core installed (Linux and macOS are supported with PowerShell 7+ installed).
Use the native PowerShell cmdlet Invoke-RestMethod to make a request.
Instead of using an account for authentication and authorization, we use the app-only access (access without a user).

Important: Before you begin, make sure you’ve created an app registration in Microsoft entra admin center and collect some required information such as clientId, tenantId and the clientSecret.

Once the app has been created, replace your app’s information (clientId, tenantId and the clientSecret) into the below code. Steps in the script:

Get access token ($token) with app registration client secret.
Create the request header ($headers) for API call.
Create requests to the Microsoft Graph resource ($userEndpoint) with pagination to get all data.
Build the report ($result) from API call response.
Output options to console, graphical grid view or export to CSV file.

# Define variables
$clientId      = "xxxxxxxxxxxxxxxxxxxx"
$clientSecret  = "xxxxxxxxxxxxxxxxxxxx"
$tenantId      = "xxxxxxxxxxxxxxxxxxxx"

# Get OAuth token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    grant_type    = "client_credentials"
    scope         = "https://graph.microsoft.com/.default"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body

# Extract access token
$accessToken = $response.access_token

# Create the request header for API call
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type"  = "application/json"
}

$userEndpoint = "https://graph.microsoft.com/v1.0/users?`$select=DisplayName,UserPrincipalName,AccountEnabled,lastPasswordChangeDateTime&`$top=100"

#Perform pagination if next page link (odata.nextlink) returned
$result = @()
while ($null -ne $userEndpoint) {
  $response = Invoke-RestMethod -Method GET -Uri $userEndpoint -Headers $headers
  $users = $response.value
  ForEach($user in $users) {
   $Result += New-Object PSObject -property $([ordered]@{
      DisplayName                = $user.displayName
      UserPrincipalName          = $user.userPrincipalName
      AccountEnabled             = $user.AccountEnabled
      lastPasswordChangeDateTime = $user.lastPasswordChangeDateTime
   })
  }
  $userEndpoint = $response.'@odata.nextlink'
}

# Output options to console, graphical grid view or export to CSV file.
$result | Format-Table
# $result | Out-GridView
# $result | Export-CSV "C:\Result.csv" -NoTypeInformation -Encoding UTF8