If you are using Office 365 without federation with your on-premise Active directory you are obligated to change password for your cloud based identity every 90 days.
When using BPOS, this was not a large issue since you had the sign-in client that reminded you to change password in time.
But with Office 365 when you for example only are using SharePoint online, there is not yet a way to get password expiration reminders if the users are accessing SharePoint with the direct url (eg. https://mycompany.sharepoint.com). This means you potentially end up with users that cannot access SharePoint when their password has expired.
Until they’ve come up with a solution for password expiration reminders via email one workaround is to set the users passwords to never expire.
You do this with the Powershell module for Online services (http://onlinehelp.microsoft.com/Office365-enterprises/ff652560.aspx) with the following commands:
$cred = Get-Credentials
Connect-MsolService -Credential $cred
For one user:
Set-MsolUser -UserPrincipalName email@example.com -PasswordNeverExpires $True
For all users:
Get-MsolUser | Set-MsolUser -PasswordNeverExpires $True
Note that this works for all Office 365 services that are using Azure Active Directory (Exchange Online, Lync Online and Sharepoint Online)
The idea with federation/ADFS combined with Office 365 is that you don’t have to care about changing/remembering passwords in multiple places.
Of course that is a good thing and the setup of ADFS is quite easy as long as you know your certificates and size the solution for redundancy.
A couple of days ago I ran in to a scenario where I needed to revert/disable federation for an Office 365 domain.
You do it with the Powershell module for Online Services (can be found on http://go.microsoft.com/fwlink/?linkid=236293).
First you connect to remote powershell with the following command where you will provide your administrative credentials for Office 365:
Then to change your domain back to a non-Federated state you simply type the command:
Convert-MsolDomainToStandard -DomainName example.com -PasswordFile c:\Passwords.txt
The command will convert all users to non federated ones and create a new password for them and put it in the file you specified with the “-PasswordFile” flag. It will also set the flag “ForceChangePassword” on the users to $true, so the users will have to change their own password after the first time they log on with the new one you provided from the file.
If something goes wrong with the conversion of the users when running the conversion command above you may have to convert the users manually to non-federated ones with the “Convert-MsolFederatedUser -UserPrincipalName ” cmdlet.