How to Check Password Expiration Date in PowerShell

If you’ve ever managed user accounts in Microsoft 365, Active Directory, or hybrid environments, you’ve probably run into this situation:

• A user suddenly can’t log in because their password has expired
• A service account stops working overnight
• You need to audit password policies across hundreds (or thousands) of users

I’ve been there more times than I’d like to admit. And almost every time, the quickest and most reliable way to investigate is PowerShell.

In this tutorial, I’ll walk you through how to check password expiration dates using PowerShell, covering both:

• On-premises Active Directory
• Microsoft 365 / Azure AD (Entra ID)

We’ll start simple, then build up to real-world automation scripts you can actually use in production.

What is Password Expiration in PowerShell?

When we talk about password expiration in PowerShell, we’re essentially querying user account properties that determine:

• When the password was last set
• Whether it expires
• When it will expire

In most environments, password expiration is controlled by:

• Domain password policies (AD)
• Password policies in Microsoft 365 / Entra ID

PowerShell allows us to retrieve and calculate:

• PasswordLastSet
• PasswordNeverExpires
• msDS-UserPasswordExpiryTimeComputed (AD-specific)

Check out Find Passwords in Files with PowerShell

Check Password Expiration in Active Directory (On-Prem)

Follow the below steps to check password expiration in Active Directory on-premises.

Step 1: Import Active Directory Module

First things first, make sure the AD module is available:

Import-Module ActiveDirectory

If this fails, install RSAT tools or run from a domain controller.

Step 2: Get Basic User Password Info

Let’s start simple.

Get-ADUser -Identity username -Properties PasswordLastSet, PasswordNeverExpires

What this does:

• Retrieves the user account
• Includes password-related properties

Output fields:

• PasswordLastSet → When the password was last changed
• PasswordNeverExpires → True/False

Step 3: Calculate Password Expiration Date

Active Directory does not directly store the expiration date. Instead, we calculate it using the domain policy.

Get Domain Password Policy

Get-ADDefaultDomainPasswordPolicy

Look for:

• MaxPasswordAge

Combine User + Policy

Here’s how I calculate expiration:

$user = Get-ADUser -Identity username -Properties PasswordLastSet
$policy = Get-ADDefaultDomainPasswordPolicy$expiryDate = $user.PasswordLastSet + $policy.MaxPasswordAge$expiryDate

Explanation:

• We take the last password set date
• Add the maximum password age
• That gives us the expiration date

Step 4: Use Built-in Expiry Attribute (Better Method)

There’s a more accurate method using:

Get-ADUser -Identity username -Properties "msDS-UserPasswordExpiryTimeComputed"

Then convert:

[datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed")

Why this is better:

• Accounts for fine-grained password policies
• More accurate in complex environments

Read Set Password Never Expires for Local User Using PowerShell

How to Check Password Expiration for Multiple Users

This is where PowerShell becomes extremely powerful.

Example: Retrieve All Users

Get-ADUser -Filter * -Properties PasswordLastSet

Or

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNeverExpires |
Select-Object Name, PasswordLastSet, PasswordNeverExpires

What this does

• -Filter * → retrieves all users
• Includes password-related attributes

Add Expiration Calculation

$policy = Get-ADDefaultDomainPasswordPolicyGet-ADUser -Filter * -Properties PasswordLastSet |
Select-Object Name,
    PasswordLastSet,
    @{Name="ExpiryDate";Expression={$_.PasswordLastSet + $policy.MaxPasswordAge}}

Explanation of the calculated property

@{Name="ExpiryDate";Expression={...}}

This creates a custom column in the output.

Inside the expression:

• $_ represents each user
• We dynamically calculate expiry per user

Export Results for Reporting

Get-ADUser -Filter * -Properties PasswordLastSet |
Select-Object Name,
    @{Name="ExpiryDate";Expression={$_.PasswordLastSet + $policy.MaxPasswordAge}} |
Export-Csv "PasswordExpiryReport.csv" -NoTypeInformation

Why is this useful

• Generates audit reports
• Shareable with security/compliance teams
• Can be automated daily

Check out Set Password for Local User in Windows 11 Using PowerShell

Check Password Expiration in Microsoft 365 (Azure AD / Entra ID)

Now let’s move to cloud environments.

Unlike Active Directory:

• Password expiration is often disabled by default
• Policies are applied at the tenant level
• Data exposure via PowerShell is more limited

Step 1: Connect to Microsoft Graph PowerShell

First, you need to connect to Microsoft graph using the below cmdlet.

Connect-MgGraph -Scopes "User.Read.All"

Step 2: Get User Password Info

Get-MgUser -UserId user@domain.com | Select-Object DisplayName, PasswordPolicies

Important Note:

In Microsoft 365:

• Password expiration is controlled differently
• Some tenants have password expiration disabled by default

Step 3: Check Password Expiration Policy

Get-MgDomain | Select-Object Id, PasswordValidityPeriodInDays

Step 4: Calculate Expiration

Unfortunately, Microsoft Graph does not directly expose PasswordLastSet easily.

Instead, use:

Get-MgUser -UserId user@domain.com -Property "lastPasswordChangeDateTime"

Then calculate:

$lastChange = (Get-MgUser -UserId user@domain.com -Property lastPasswordChangeDateTime).lastPasswordChangeDateTime
$expiryDays = 90$expiryDate = $lastChange.AddDays($expiryDays)
$expiryDate

Check out Securely Handle Passwords with PowerShell Read-Host

Practical Real World Examples

Now, let me show you some real-world examples.

Find Users Whose Passwords Will Expire in 7 Days

Here is the PowerShell script to find users whose passwords will expire in 7 days.

$policy = Get-ADDefaultDomainPasswordPolicyGet-ADUser -Filter * -Properties PasswordLastSet |
Where-Object {
    ($_.PasswordLastSet + $policy.MaxPasswordAge) -lt (Get-Date).AddDays(7)
} |
Select-Object Name,
    @{Name="ExpiryDate";Expression={$_.PasswordLastSet + $policy.MaxPasswordAge}}

Find Expired Passwords

Here is an example and the PowerShell script to find expired passwords.

Get-ADUser -Filter * -Properties PasswordLastSet |
Where-Object {
    ($_.PasswordLastSet + $policy.MaxPasswordAge) -lt (Get-Date)
}

Exclude Service Accounts

Here is a PowerShell script to find expired passwords, excluding service accounts.

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNeverExpires |
Where-Object {
    $_.PasswordNeverExpires -eq $false
}

In this tutorial, I explained various methods to check the password expiration date in PowerShell. Also, we saw some practical examples. Do let me know in the comments below if you still have any questions.

You may also like the following tutorials:

• PowerShell Random Password Generator
• Create a Password-Protected Zip File Using PowerShell
• Encrypt a File with a Password in PowerShell

Bijay Kumar

Bijay Kumar is an esteemed author and the mind behind PowerShellFAQs.com, where he shares his extensive knowledge and expertise in PowerShell, with a particular focus on SharePoint projects. Recognized for his contributions to the tech community, Bijay has been honored with the prestigious Microsoft MVP award. With over 15 years of experience in the software industry, he has a rich professional background, having worked with industry giants such as HP and TCS. His insights and guidance have made him a respected figure in the world of software development and administration. Read more.