Automatically Notify Microsoft 365 Users of Upcoming Password Expiration Using PowerShell & Azure Automation

Marco NotarrigoMarco Notarrigo
3 min read

Ensuring your Microsoft 365 users are aware of password expiration is critical for both security and productivity. Without proper notification, users can get locked out unexpectedly, causing support overhead and frustration. While Microsoft 365 doesn't send these notifications by default, we can fix that.

In this guide, you'll learn how to automate password expiration checks and send timely email alerts using:

  • PowerShell

  • Microsoft Graph API

  • Azure Automation (or local execution)

πŸ“Š What This Script Does

  • Connects to Microsoft Graph using App Registration

  • Retrieves users from a dynamic Microsoft 365 group

  • Checks their last password change date

  • Calculates days until expiration (based on org policy)

  • Sends custom email notifications for users whose passwords will expire soon (e.g., within 7 days)

πŸ’‘ Note: The script assumes all users in the dynamic group have passwords that do expire (e.g., users logging in via Microsoft Entra ID Join). Therefore, it does not need to filter out accounts with PasswordNeverExpires, since the group logic already excludes them.

πŸ“„ Pre-Requisites

1. App Registration in Entra ID

  • Create an app in Entra ID > App Registrations

  • Assign API Permissions:

    • User.Read.All

    • Group.Read.All

    • Mail.Send

  • Grant Admin Consent

  • Generate a client secret and note the Application (Client) ID and Directory (Tenant) ID

2. Licensed Sender Mailbox

Ensure your app is authorized to send mail on behalf of a licensed user, such as noreply@yourdomain.com.

3. Optional: Azure Automation Setup

Store sensitive variables as Automation Variables:

  • ClientID

  • ClientSecret

  • TenantID

  • GroupId

  • SenderEmail

  • PasswordExpirationDays

πŸ’‘ Features of the Script

  • Can run locally or inside Azure Automation

  • Smart logging via Write-Log (supports verbosity and silent automation)

  • UPN masking for privacy in logs

  • Error handling and graceful exits

πŸ‘Ί Masked Logging Example

User: jo*****@domain.com | Days remaining: 5
Sending alert...
Email sent to jo*****@domain.com

✎ Script Usage (Locally or in Azure)

⚑ Local Test Example:

.\Notify-M365PasswordExpiry.ps1 `
    -ClientId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -ClientSecret "your-secret" `
    -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -GroupId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    -PasswordExpirationDays 45 `
    -SenderEmail "noreply@yourdomain.com" `
    -UseLocalParameters

πŸš€ Scheduled in Azure Automation:

  • Import the script as a Runbook

  • Set up a daily schedule

  • Securely store secrets using Automation Variables

πŸ”§ Under the Hood (Logic Breakdown)

  1. Get access token using client_credentials

  2. Connect to Microsoft Graph

  3. Fetch users from the target group

  4. For each user:

    • Get LastPasswordChangeDateTime

    • Add org-defined expiration window (e.g., 45 days)

    • Calculate remaining days

    • If within 7 days, send email

🧩 Key Functions Explained

πŸ” Get-GraphAccessToken

Authenticates using client credentials and retrieves a Microsoft Graph API access token.

🌐 Connect-ToGraph

Uses the Microsoft Graph PowerShell SDK to establish a session for additional operations like retrieving user data.

πŸ‘₯ Get-GroupUsers

Fetches members from the specified dynamic group by Group ID.

πŸ” Get-UserDetails

Retrieves DisplayName, UserPrincipalName, and LastPasswordChangeDateTime for each user.

βœ‰ Send-EmailNotification

Sends a formatted HTML email to users using Microsoft Graph's sendMail endpoint. The message content is fully customizable based on your organization’s communication style.

πŸ”— GitHub Repository

You can find the full script and future updates here: πŸ”— GitHub – Notify-M365PasswordExpiry.ps1

πŸ“ˆ Benefits

  • Reduces help desk tickets

  • Keeps users informed and proactive

  • Flexible: can run in the cloud or on-prem

  • Secure: supports masked logging and stored secrets

🌐 What You Can Improve Next

  • Integrate Microsoft Teams alerts

  • Write logs to Azure Storage or Log Analytics

  • Localize email messages based on user locale (optional – currently defaulted to English)

πŸš€ Final Thoughts

This script gives you full control over Microsoft 365 password expiration reminders, with enterprise-grade flexibility. Whether you run it in Azure Automation or locally, it's ready to scale and secure.

Have questions or want enhancements? Let's build on this together! ✨

0
Subscribe to my newsletter

Read articles from Marco Notarrigo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

msgraphapiPowershellMicrosoft365automationazure automationscripts

Written by

Marco Notarrigo
Marco Notarrigo

My name is Marco Notarrigo and I am a System Engineer with a passion for Technology, Math and Computer Science. Since I was a kid, I began programming on 8-bit computers such as the Apple II and the Commodore 64. As my passion for technology and computer science has grown over the years, it has turned into a job for me. Over the last years, I have gained experience in DevOps, Security and Cloud Computing, making me well-versed in the principles and practices of these critical fields. Therefore, I want to share this passion with all of you who follow me and hope to inspire you to pursue your interests.