Table of Contents
One of the key components of security is managing passwords. Password management is a critical aspect of maintaining security in the digital realm. In this comprehensive guide, we will discuss various methods for checking the last password change date in Microsoft 365.
There are three methods for checking the last password change date in Microsoft 365:
- Using the Entra admin center
- Using Microsoft Graph PowerShell SDK
- Using Microsoft Graph API
Using the Entra admin center
1. Visit the Entra admin center then login using an administrative account.
2. Navigate to Users | All users | Manage view | Edit columns.
3. Select the option Last password change date time from the list.
Now the last password change date time is shown.
Using the Microsoft Graph PowerShell SDK
The second way is using Microsoft Graph PowerShell SDK. This method requires you to install some PowerShell modules on your machine. But, if you’re familiar with the other Microsoft modules such as MSOL, ExchangeOnlineManagement, AzureAD…this is a good option.
1. Install the required Microsoft Graph PowerShell SDK module by opening PowerShell as administrator then run the following command:
Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser
2. Getting the user’s information requires a certain level of permissions to be granted to the Microsoft Graph Command Line Tools application. So, in this case, we need to connect to Graph PowerShell with the following scopes:
Connect-MgGraph -Scopes "User.Read.All"
To get the last password change date for a particular user, use this Microsoft Graph PowerShell script:
# Get the user information
$properties = @('DisplayName','UserPrincipalName','AccountEnabled','lastPasswordChangeDateTime')
$userId = '[email protected]'
$result = Get-MgUser -UserId $userId -Property $properties
# Get the user's last password change date and time
$result | Select-Object $properties
Similarly, to get the last password change date timestamp of all users, use the following PowerShell script:
$properties = @('DisplayName','UserPrincipalName','AccountEnabled','lastPasswordChangeDateTime')
Get-MgUser -All -Property $properties | Select-Object $properties
This information can be very helpful for administrators who need to monitor user accounts and ensure their passwords are secure. To export the last password change date for all users to a CSV file, here is the PowerShell script:
# Set the properties to retrieve
$properties = @(
"id",
"displayName",
"userprincipalname",
"lastPasswordChangeDateTime",
"mail",
"jobtitle",
"department"
)
# Retrieve the password change date timestamp of all users
$result = Get-MgUser -All -Property $Properties | Select-Object $properties
$result | Format-Table
# Export to CSV
# $result | Export-Csv -Path "C:\Temp\PasswordChangeTimeStamp.csv" -NoTypeInformation
Using Microsoft Graph REST API
Alternatively, we can use the Microsoft Graph Rest API to export the last time password change of all users in a Microsoft 365 tenant. When using this method:
- We don’t need to install any modules of the Microsoft Graph PowerShell SDK (~ 80 modules).
- We can do it from any computer with Microsoft PowerShell or PowerShell Core installed (Linux and macOS are supported with PowerShell 7+ installed).
- Use the native PowerShell cmdlet Invoke-RestMethod to make a request.
- Instead of using an account for authentication and authorization, we use the app-only access (access without a user).
Once the app has been created, replace your app’s information (clientId, tenantId and the clientSecret) into the below code. Steps in the script:
- Get access token ($token) with app registration client secret.
- Create the request header ($headers) for API call.
- Create requests to the Microsoft Graph resource ($userEndpoint) with pagination to get all data.
- Build the report ($result) from API call response.
- Output options to console, graphical grid view or export to CSV file.
# Define variables
$clientId = "xxxxxxxxxxxxxxxxxxxx"
$clientSecret = "xxxxxxxxxxxxxxxxxxxx"
$tenantId = "xxxxxxxxxxxxxxxxxxxx"
# Get OAuth token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
client_secret = $clientSecret
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/.default"
}
$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
# Extract access token
$accessToken = $response.access_token
# Create the request header for API call
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
$userEndpoint = "https://graph.microsoft.com/v1.0/users?`$select=DisplayName,UserPrincipalName,AccountEnabled,lastPasswordChangeDateTime&`$top=100"
#Perform pagination if next page link (odata.nextlink) returned
$result = @()
while ($null -ne $userEndpoint) {
$response = Invoke-RestMethod -Method GET -Uri $userEndpoint -Headers $headers
$users = $response.value
ForEach($user in $users) {
$Result += New-Object PSObject -property $([ordered]@{
DisplayName = $user.displayName
UserPrincipalName = $user.userPrincipalName
AccountEnabled = $user.AccountEnabled
lastPasswordChangeDateTime = $user.lastPasswordChangeDateTime
})
}
$userEndpoint = $response.'@odata.nextlink'
}
# Output options to console, graphical grid view or export to CSV file.
$result | Format-Table
# $result | Out-GridView
# $result | Export-CSV "C:\Result.csv" -NoTypeInformation -Encoding UTF8
Manage Microsoft 365 Using Microsoft Graph
You can also take a look at the following Microsoft Graph posts that help to manage Microsoft 365 efficiently.
- Create a new user
- Create bulk users in Microsoft 365
- Get a list of all users in Microsoft 365
- Update user properties
- Add a user to a group
- Add bulk users to a group
- Remove users from a group
- Remove multiple users from a group
- Assign managers for Microsoft 365 users
- Assign licenses to users
- Removing licenses from user accounts
- Delete a user from Microsoft 365
- How to use Get-MgUser cmdlet
Not a reader? Watch this related video tutorial:
Great article, I first saw it on your medium feed, however the code there is missing all the curly brackets {} !!