diff --git a/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 b/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 new file mode 100644 index 0000000..60c1028 --- /dev/null +++ b/Office 365 Password Expiry Report/PasswordExpiryReport.ps1 @@ -0,0 +1,230 @@ +<# +============================================================================================= +Name: Export Office 365 Users’ Last Password Change Date using MS Graph +website: o365reports.com +Script by: O365Reports Team +Version: 4.0 +For detailed Script execution: https://o365reports.com/2020/02/17/export-office-365-users-last-password-change-date-to-csv +============================================================================================ +#> +Param +( + [Parameter(Mandatory = $false)] + [switch]$PwdNeverExpires, + [switch]$PwdExpired, + [switch]$LicensedUserOnly, + [int]$SoonToExpire, + [int]$RecentPwdChanges, + [switch]$EnabledUsersOnly, + [string]$TenantId, + [string]$ClientId, + [string]$CertificateThumbprint +) + +$MsGraphModule = Get-Module Microsoft.Graph -ListAvailable +if($MsGraphModule -eq $null) +{ + Write-host "Important: Microsoft graph module is unavailable. It is mandatory to have this module installed in the system to run the script successfully." + $confirm = Read-Host Are you sure you want to install Microsoft graph module? [Y] Yes [N] No + if($confirm -match "[yY]") + { + Write-host "Installing Microsoft graph module..." + Install-Module Microsoft.Graph -Scope CurrentUser + Write-host "Microsoft graph module is installed in the machine successfully" -ForegroundColor Magenta + } + else + { + Write-host "Exiting. `nNote: Microsoft graph module must be available in your system to run the script" -ForegroundColor Red + Exit + } +} +if(($TenantId -ne "") -and ($ClientId -ne "") -and ($CertificateThumbprint -ne "")) +{ + Connect-MgGraph -TenantId $TenantId -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -ErrorAction SilentlyContinue -ErrorVariable ConnectionError|Out-Null + if($ConnectionError -ne $null) + { + Write-Host $ConnectionError -Foregroundcolor Red + Exit + } +} +else +{ + Connect-MgGraph -Scopes "Directory.Read.All" -ErrorAction SilentlyContinue -Errorvariable ConnectionError |Out-Null + if($ConnectionError -ne $null) + { + Write-Host "$ConnectionError" -Foregroundcolor Red + Exit + } +} +Write-Host "Microsoft Graph Powershell module is connected successfully" -ForegroundColor Green +Select-MgProfile beta + +$UserCount = 0 +$PrintedUser = 0 +$Result = "" +$PwdPolicy=@{} +#Output file declaration +$ExportCSV = ".\PasswordExpiryReport_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm` tt).ToString()).csv" + +#Getting Password policy for the domain +$Domains = Get-MgDomain #-Status Verified +foreach($Domain in $Domains) +{ + #Check for federated domain + if($Domain.AuthenticationType -eq "Federated") + { + $PwdValidity = 0 + } + else + { + $PwdValidity = $Domain.PasswordValidityPeriodInDays + if($PwdValidity -eq $null) + { + $PwdValidity = 90 + } + } + $PwdPolicy.Add($Domain.Id,$PwdValidity) +} +Write-Host Generating report... -ForegroundColor Magenta +#Loop through each user +Get-MgUser -All -Property DisplayName,UserPrincipalName,LastPasswordChangeDateTime,PasswordPolicies,AssignedLicenses,AccountEnabled | foreach{ + $UPN = $_.UserPrincipalName + $DisplayName = $_.DisplayName + [boolean]$Federated = $false + $UserCount++ + #Remove external users + if($UPN -like "*#EXT#*") + { + return + } + $PwdLastChange = $_.LastPasswordChangeDateTime + $PwdPolicies = $_.PasswordPolicies + $LicenseStatus = $_.AssignedLicenses + $Print = 0 + Write-Progress -Activity "`n Processed user count: $UserCount "`n" Currently Processing: $DisplayName" + if($LicenseStatus -ne $null) + { + $LicenseStatus = "Licensed" + } + else + { + $LicenseStatus = "Unlicensed" + } + if($_.AccountEnabled -eq $true) + { + $AccountStatus = "Enabled" + } + else + { + $AccountStatus = "Disabled" + } + #Finding password validity period for user + $UserDomain= $UPN -Split "@" | Select-Object -Last 1 + $PwdValidityPeriod=$PwdPolicy[$UserDomain] + #Check for Pwd never expires set from pwd policy + if([int]$PwdValidityPeriod -eq 2147483647) + { + $PwdNeverExpire = $true + $PwdExpireIn = "Never Expires" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + elseif($PwdValidityPeriod -eq 0) #Users from federated domain + { + $Federated = $true + $PwdExpireIn = "Insufficient data in O365" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + elseif($PwdPolicies -eq "none" -or $PwdPolicies -eq "DisableStrongPassword") #Check for Pwd never expires set from Set-MsolUser + { + $PwdExpiryDate = $PwdLastChange.AddDays($PwdValidityPeriod) + $PwdExpiresIn = (New-TimeSpan -Start (Get-Date) -End $PwdExpiryDate).Days + if($PwdExpiresIn -gt 0) + { + $PwdExpireIn = "Will expire in $PwdExpiresIn days" + } + elseif($PwdExpiresIn -lt 0) + { + #Write-host `n $PwdExpiresIn + $PwdExpireIn = $PwdExpiresIn * (-1) + #Write-Host ************$pwdexpiresin + $PwdExpireIn = "Expired $PwdExpireIn days ago" + } + else + { + $PwdExpireIn = "Today" + } + } + else + { + $PwdExpireIn = "Never Expires" + $PwdExpiryDate = "-" + $PwdExpiresIn = "-" + } + #Calculating Password since last set + $PwdSinceLastSet = (New-TimeSpan -Start $PwdLastChange).Days + #Filter for enabled users + if(($EnabledUsersOnly.IsPresent) -and ($_.AccountEnabled -eq $false)) + { + return + } + #Filter for user with Password nerver expires + if(($PwdNeverExpires.IsPresent) -and ($PwdExpireIn -ne "Never Expires")) + { + return + } + + #Filter for password expired users + if(($PwdExpired.IsPresent) -and (($PwdExpiresIn -ge 0) -or ($PwdExpiresIn -eq "-"))) + { + return + } + + #Filter for licensed users + if(($LicensedUserOnly.IsPresent) -and ($LicenseStatus -eq "Unlicensed")) + { + return + } + + #Filter for soon to expire pwd users + if(($SoonToExpire -ne "") -and (($PwdExpiryDate -eq "-") -or ($SoonToExpire -lt $PwdExpiresIn) -or ($PwdExpiresIn -lt 0))) + { + return + } + + #Filter for recently password changed users + if(($RecentPwdChanges -ne "") -and ($PwdSinceLastSet -gt $RecentPwdChanges)) + { + return + } + if($Federated -eq $true) + { + $PwdExpiryDate = "Insufficient data in O365" + $PwdExpiresIn = "Insufficient data in O365" + } + $PrintedUser++ + #Export result to csv + $Result = [PSCustomObject]@{'Display Name'=$_.DisplayName;'User Principal Name'=$UPN;'Pwd Last Change Date'=$PwdLastChange;'Days since Pwd Last Set'=$PwdSinceLastSet;'Pwd Expiry Date'=$PwdExpiryDate;'Friendly Expiry Time'=$PwdExpireIn ;'License Status'=$LicenseStatus;'Days since Expiry(-) / Days to Expiry(+)'=$PwdExpiresIn;'Account Status'=$AccountStatus} + $Result | Export-Csv -Path $ExportCSV -Notype -Append +} +if($UserCount -eq 0) +{ + Write-Host No records found +} +else +{ + Write-Host "`nThe output file contains " -NoNewline + Write-Host $PrintedUser users. -ForegroundColor Green + if((Test-Path -Path $ExportCSV) -eq "True") + { + Write-Host `nThe Output file available in $ExportCSV -ForegroundColor Green + $Prompt = New-Object -ComObject wscript.shell + $UserInput = $Prompt.popup("Do you want to open output file?",` 0,"Open Output File",4) + if ($UserInput -eq 6) + { + Invoke-Item "$ExportCSV" + } + } +} +Disconnect-MgGraph | Out-Null \ No newline at end of file