Dex

๐Ÿ” Recipe ยท Entra ID & Identity

Check When a Microsoft 365 User's Password Expires

Determine the password expiration date for any Microsoft 365 user and proactively notify them before lockout

Complexity

Beginner

Impact

user-support + security + password-policy + entra-id + read-only

Context

Why This Matters

End users frequently ask IT when they need to change their password to avoid being locked out. In Microsoft 365, password expiration behavior depends on the tenant's password policy and per-user settings. Some users may have PasswordNeverExpires enabled, while others inherit the tenant default (commonly 90 days or disabled entirely in modern tenants following Microsoft's recommendation).

This recipe shows how to calculate a user's password expiration date by combining the last password change timestamp with the tenant password validity period. It is useful for:

  • Responding to individual user questions about upcoming expiration
  • Proactively warning users before their password expires
  • Auditing accounts whose passwords never expire (a security concern)
  • Troubleshooting authentication failures suspected to be caused by expired credentials

Expected Outcomes

After completing this recipe you will have:

  • The exact date and time of the user's last password change
  • The tenant's password validity period (in days)
  • A calculated password expiration date for the user
  • Confirmation of whether the user's password is set to never expire
  • The number of days remaining until expiration

Risks & Considerations

Considerations

  • Microsoft's current guidance is to disable password expiration in favor of MFA and risk-based conditional access. Verify your organization's policy before recommending any expiration scheme.
  • The lastPasswordChangeDateTime property only updates when the user actually changes their password โ€” it does not reflect forced resets in all cases. Validate against sign-in logs if precision matters.
  • Per-user PasswordNeverExpires overrides the tenant policy. A user with this flag set will never receive an expiration warning even if the tenant policy enforces rotation.
  • The tenant-wide password validity period is stored on the domain object (passwordValidityPeriodInDays), not the user. A value of 2147483647 (Int32.MaxValue) indicates "never expires" at the tenant level.
  • Do not communicate expected expiration dates to users as a guarantee โ€” admins or policy changes can force a reset at any time.

Required Permissions

PermissionWhy It's Needed
User.Read.AllRead user properties including lastPasswordChangeDateTime and passwordPolicies
Domain.Read.AllRead the tenant's password validity period from the default domain
Directory.Read.AllAlternative broader scope if User.Read.All + Domain.Read.All are not available

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Check when {user}'s Microsoft 365 password expires. Report the last password change date, the tenant password validity policy, the calculated expiration date, and days remaining โ€” and flag if the account is set to never expire.
Try in Dex CoAdmin

For End Users

How an employee would ask Dex for help

When do I need to change my Microsoft 365 password? I don't want to get locked out.
Try in Dex Playground