Microsoft Entra ID

Retrieve Password Expiry in Entra ID

by Paul Rigby12/02/202612/02/2026

Password expiry in Microsoft Entra ID is not stored as a single “expiry date” property. Instead, Entra tracks:

Last password change timestamp
Password policies (max age, notification window, etc.)
Whether the account has password expiration disabled

You get the actual expiry date by calculating:

passwordLastSet + passwordAgePolicy

Below are the best methods to retrieve this.

Install the module

Install-Module Microsoft.Graph -Scope AllUsers
Show more lines

Connect

Connect-MgGraph -Scopes "User.Read.All"

Retrieve password info for one user

Get-MgUser -UserId "user@domain.com" -Property passwordPolicies,passwordLastSet
Show more lines

Retrieve expiry date for all users

$users = Get-MgUser -All -Property DisplayName,UserPrincipalName,passwordPolicies,passwordLastSet

$maxAgeDays = 90   # Or whatever your tenant uses

$users | Select-Object `

    DisplayName,

    UserPrincipalName,

    passwordLastSet,

    @{n="PasswordExpiryDate";e={($_.passwordLastSet).AddDays($maxAgeDays)}}

If the user has:

passwordPolicies containing DisablePasswordExpiration
→ Password never expires

Leave a Reply Cancel reply

You must be logged in to post a comment.

► Necessary Cookies Always Active

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.

► Functional Cookies Remark

Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.

► Analytical Cookies Remark

Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.

► Advertisement Cookies Remark

Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.