One gotcha to be aware of when changing password polices in Office 365 is this – once you change the password policy so that passwords never expire, your users will be unable to change their passwords in the Self Service options. The error that they’ll see doesn’t really tell you much:
The tricky thing about this is that the Office 365 Admin Center doesn’t show you when the password policy is set to never expire – here’s an example of a tenancy where passwords are set to never expire:
You’ll notice that it still shows 730 days (2 years is the maximum time frame you can enter into that field) in the password expiry field – this is because the password expiration policy is set globally, but through PowerShell it’s set on a per user basis. You’ll need to dive into PowerShell to find the truth of the matter.
To verify that password expiry is set to never expire, run the following command:
Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
This shows that some users have been set to never expire, while any user created after that will (by default) inherit the global password expiry policy.
To set the password expiry policy to never expire for an individual user, run the following command:
Set-MsolUser -UserPrincipalName firstname.lastname@example.org -PasswordNeverExpires $true
If you want to change the policy for all users then run the following:
Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true
Just make sure you let your users know that they’ll need to have their password reset by an administrator if they forget it, and you’re good to go.