Enable Strong Passwords for Office 365 Users

By | December 21, 2016

Recently my company has been going through security auditing and it was discovered many of the first user accounts created on Office 365 had been grandfathered into a low security password model. By connecting to the office 365 Powershell interface, I was able run a query to find out who had the StrongPasswordRequired flag to false. Well we needed to change this and by searching around online, almost everything I came across was how to DISABLE strong passwords on Office 365, so I decided to write an article about how to ENABLE strong passwords.

 

First, you need to download and install both the Microsoft Online Services Sign-In Assistant for IT Professionals RTW and the Azure Active Directory Module for Powershell

Then you should be able to open up your powershell windows (as an administrator)

Type in the commands:

Set-ExecutionPolicy Unrestricted

Connect-MSOLService

At this point you will be prompted for a username and password. There is a very important step that many other websites have left out, or I’m just the only administrator with MFA (Multi-Factor Authentication) enabled. If your account has MFA enabled, you will need to either disable it, or create another user, who is a global admin, and who doesn’t have MFA enabled. The PowerShell Modules do not support this.

Once you get past that road block, type in your username and password to log in.

get-msoluser | where-object {$_.StrongPasswordRequired -ne “True”}

if you want to export this to a csv because the list is too long, or you want to review it outside of PowerShell, add | Export-csv c:\scripts\msolsp.csv to the end of that command. Obviously the file path will need to be set accordingly, and you can name the file anything you wish.

Once you have your list of users and you are ready to set the StrongPasswordRequired flag to true for the user accounts, simply append ‘Set-msoluser -StrongPasswordRequired $True’ to the end of your query

get-msoluser | where-object {$_.StrongPasswordRequired -ne “True”} | Set-msoluser -StrongPasswordRequired $True

This will take every returned from the get statement, and apply the Set statement to that user. If you need to filter the list down further, either use the EnableFilter switch, or add/append the where-object command to fit your needs.

 

And there you have it. That is how you ENABLE strong passwords for your organization via PowerShell

 

Leave a Reply

Your email address will not be published. Required fields are marked *