Microsoft Online Password Expiration Notification Script

With the recent addition of the Get-MsOnlineUser commandlet, it is now possible to create a PowerShell script which automatically notifies users when their Microsoft Online passwords are about to expire. This is huge feature, especially for deskless workers, since up until now there hasn't been a good way to let them know when their passwords are about to expire. Below is a script to automatically notify users of their upcoming password expiration, but first is quick overview of how it works.

You must first configure when you want to start notifying users that their Microsoft Online password is about to expire. The default is 15 days. If the script is scheduled to run nightly, 15 days from the date the user's password is set to expire, they will be sent an email which by default looks like:

Message Subject: ACTION REQUIRED: Your Microsoft Online Password will expire in 15 days

Message Body: Your Microsoft Online password will expire in 15 days. Please use the Microsoft Online Sign in Client to change your password. If you do not use the Sign In Client, browse to https://home.microsoftonline.com to reset your password.

If they don't change their password, the script will run again the next night and notify them that they now have 14 days left to change their password. It will continue to do this every day until they change their password.

Below is the script. Make sure you modify the appropriate variables and test it on a single user before running it against everyone in your environment. If run improperly it has the potential to really confuse the end users, so please contact MessageOps, at support@messageops.com, if you have any questions prior to running it. We'll be glad to help you implement or customize the script in your environment.

You can download the properly formatted script here.


#Microsoft Online Password Expiration Notification Script
#
#Written By:Chad Mosman, MessageOps, www.messageops.com
#
#This script notifies users via email when their Microsoft Online Password is about
#to expire. It is designed to be scheduled to run on a daily basis. Due to the way
#it searches for users, it requires directory synchronization be enabled for the domain
#it is run against.
#
#The following variables should be modified before running the script
#
#$AdvancedWarning - Controls how many days before expiration the users will be notified
#that their password is about to expire. Default is 15 days.
#
#$mailFrom - Enter the email address that the notification will appear to come from.
#
#$SMTPServer - If inbound mailflow is enabled for your Microsoft Online domain, the default of
#mail.global.frontbridge.com should work. Otherwise, specify the name of your on-premise
#mail system.
#
#$powerUser - Username of an account with Service Admin Rights in Microsoft Online.
#
#$powerpass - Password of the account with Service Admin Rights in Microsoft Online.
#
#$subject, $body - The notification message subject and body can be customized to your needs.
#
#When testing it is recommended the script be run against a single user. To do that, change:
#
#$collitems = Get-XsActiveDirectoryUser -Identity *
#To
#$collitems = Get-XsActiveDirectoryUser -Identity EmailAddressOfTestUser
#
#For assistance with the script, to report problems, or provide comments contact support@messageops.com
#

#Number of days in advance the user should be warned that their password is about to expire
$AdvancedWarning=15

#Email address that the notification email will appear to be from
$mailFrom = "user@yourdomain.com"

#If inbound mailflow is not enabled on your domain in Microsoft Online, change this value
#to your on-premise mail server which should forward to Microsoft Online
$smtpServer = "mail.global.frontbridge.com"

#Microsoft Online Service Account Username and Password
$powerUser = "user@domain.microsoftonline.com"
$powerPass = "Password"

$password = ConvertTo-SecureString $powerPass -AsPlainText -Force
$adminCredential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $powerUser,$password

#Get all objects in your local Active Directory that are synchronized to Microsoft Online
$collitems = Get-XsActiveDirectoryUser -Identity * -Resultsize 100000 -quiet| Search-XsMicrosoftOnlineDirectory -Credential $adminCredential

foreach ($objitem in $collitems){

#Determine if the user has been activated or not
if($objitem.HardMatchName -ne $null){
$mailbox = get-xshostedExchangeMailbox -SourceIdentity $objitem.HardMatchName -sourceserver domain.com | Search-XsMicrosoftOnlineDirectory -credential $adminCredential

#check to see if the account is activated
if($mailbox.TargetSendQuota -gt 0){

#format the email address
$emailAddress = $mailbox.HardmatchName -replace "SMTP:",""

#get the password expiration date for the current user
$user=Get-msonlineuser -identity $emailAddress -credential $adminCredential

#calculate the date difference between today and the password expiration date
$datedifference=($user.PasswordExpirationDate-[DateTime]::Now).Days

#is the password going to expire withing the number of days configured in the AdvancedWarning?
If ($datedifference -le $AdvancedWarning){

If ($datedifference -eq 0){
$subject = "IMMEDIATE ACTION REQUIRED: Your Microsoft Online Password Has Expired"
$body = "Your Microsoft Online password has expired. "
}
ElseIf ($dateDifference -eq 1){
$subject = "IMMEDIATE ACTION REQUIRED: Your Microsoft Online Password will expire in 1 day"
$body = "Your Microsoft Online password will expire in 1 day. "
}
Else{
$subject = "ACTION REQUIRED: Your Microsoft Online Password will expire in",$datedifference,"days"
$body = "Your Microsoft Online password will expire in",$datedifference,"days. "
}

$body = $body + "Please use the Microsoft Online Sign in Client to change your password. If you do not use the Sign In Client, browse to https://home.microsoftonline.com to reset your password."

#send notification to user
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($mailFrom, $emailaddress, $subject, $body)

}
}
}
}