maester365 · blindzero · May 9, 2026 · May 10, 2026 · May 11, 2026 · May 12, 2026
@@ -13,7 +13,6 @@ When setting passwords not to expire it is important to have other controls in p
 * Educate users to not reuse organization passwords anywhere else.
 * Enforce Multi-Factor Authentication registration for all users.
 
-
 #### Remediation action:
 
 To set Office 365 passwords are set to never expire:

@@ -28,8 +28,36 @@
         Write-Verbose 'Get domain details the password expiry period'
         $domains = Invoke-MtGraphRequest -RelativeUri 'domains'
 
-        Write-Verbose 'Get domains where passwords are set to expire'
-        $result = $domains | Where-Object { ($_.PasswordValidityPeriodInDays -ne '2147483647') -and ($_.authenticationType -eq "Managed") }
+        Write-Verbose 'Get verified and managed domains where passwords are set to expire'
+
+        $noPasswordExpiryPeriodInDays = [int]::MaxValue
+
+        $excludedDomains = @()
+        $applicableDomains = @()
+        foreach ($domain in $domains) {
+            # Password policy checks apply only to managed and verified domains.
+            if (($domain.authenticationType -ne "Managed") -or ($domain.isVerified -ne $true)) {
+                $excludedDomains += $domain
+                continue
+            }
+
+            $applicableDomains += $domain
+        }
+
+        $result = $applicableDomains | Where-Object {
+            $passwordValidityPeriodInDays = 0
+            $domainPasswordValidityPeriodInDays = $_.PasswordValidityPeriodInDays
+            # If null or a boolean, the password expiry period is not set, and passwords do not expire.
+            # Return false to indicate this domain does not fail the test.
+            if (($null -eq $domainPasswordValidityPeriodInDays) -or ($domainPasswordValidityPeriodInDays -is [bool])) {
+                return $false
+            }
+            if (-not [int]::TryParse($domainPasswordValidityPeriodInDays.ToString(), [ref]$passwordValidityPeriodInDays)) {
+                return $false
+            }
+            # If valid integer, check if equal to the value that indicates no password expiry (MaxValue).
+            return $passwordValidityPeriodInDays -ne $noPasswordExpiryPeriodInDays
+        }
 
         $testResult = ($result | Measure-Object).Count -eq 0
 
@@ -43,7 +71,9 @@
         $resultMd += "| --- | --- |`n"
         foreach ($item in $domains) {
             $itemResult = '❌ Fail'
-            if ($item.id -notin $result.id) {
+            if ($item.id -in $excludedDomains.id) {
+                $itemResult = '⏭️ Skip'
+            } elseif ($item.id -notin $result.id) {
                 $itemResult = '✅ Pass'
             }
             $resultMd += "| $($item.Id) | $($itemResult) |`n"