MS 365 Password Policy - Global Admin Accounts

Can someone help me in regards to MS 365 Password Policy.

I know i can set a password policy on 365. Pretty simple to do, but would this also apply to the global admin/owner account also?

I would like everyone's password in the 365 domain to request change at a certain date. Doing research and testing on powershell, i can see that the global admin/owner account does not have a value when i process the Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpire . It is blank.

I know i can set this manually by running a set script in Powershell but there must be a reason why MS decided not to include it. Quite silly to have it not changeable in my opinion...

your help is greatly appreciated.
N00b2015Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CodeTwo SoftwareSoftware DeveloperCommented:
Hello N00b2015,
Normally, no accounts should have the $null value set for the PasswordNever Expires attribute. Even when an account (global admin or not) has the value set to $null, you can easily set it to either $true or $false and it should work for every type of account.
As a side-note, there are a few valid reasons to set the global admin's PasswordNeverExpires to $true. One of them is that the password expiration of the global admin's account may stop syncing on-prem AD with its Azure counterpart.
N00b2015Author Commented:
Thank you code!

I was thinking the same. Also, in regards to AD sync. I do not personally use it for 365, just for their mail etc but it could be a feature in the backend for MS? I'm just cautious of setting the value back to expire for a particular reason. Either way, I've submitted a response to MS and await their reply which i'll post back here.
CodeTwo SoftwareSoftware DeveloperCommented:
I do not believe it is used by the Microsoft at any point. AD sync is only used if you have a hybrid environment. To be honest, I cannot see another scenario in which global password expiration of the admin's account would cause problems. Especially because, from my experience, the admin is the one who spends the most time in Office 365 and would be the first to update their password.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

N00b2015Author Commented:
Thank you.

I think in my scenario...

There is a small company of 4 members of staff which has the most simplest of setup. The owner has bought 365 but doesn't do any of the admin side, I do for their mail. Although, i'm not an active support user for them, as i would like them to be as much independent to an extent but would like to protect their security also. So as their admin, i don't go on the console as often, thus possibly missing the password expiry. The only impact i could see with a global admin account expiring, would be that the owner would have to go through the password recovery setup, which is fine.
CodeTwo SoftwareSoftware DeveloperCommented:
I think that in your situation, you can freely apply the password expiration policy to the admin's account. Usually, password recovery setup is not necessary, all that the admin will have to do is to log in to the Office 365 portal using the old password. He/She will be prompted to set a new password.
It is a good practice to set a recurrent meeting to change the password before the expiration date - this way, you can prevent a situation when, for example, Outlook stops working.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
If you are syncing accounts *and* passwords (using password hash sync), the on-premises password policy will apply for all synced accounts.  If have cloud accounts (they'll show as Cloud in the portal vs Synced for synced accounts), the Office 365 password policy takes effect.

The PasswordNeverExpire property is set when you set the user account to never expire.  If it is blank, it means you are following the Office 365 password policy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
N00b2015Author Commented:
That makes sense if it is blank! Thank you everyone for your help. I just used set-mslouser to ensure that field was set to $false to expire.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.