Custom password policy allows you to change minimum password length, password history, set lockout and expiration rules.

By default password should consist of at least 8 characters. Passwords must not contain username, SamAccountName, the email address and can't include them as its part. Last 4 passwords can't be reused. Password must contain characters from 3 of the following categories: 

  • English uppercase characters (A-Z)
  • English lowercase characters (a-z)
  • Numbers (0-9)
  • Special characters (e.g., ! $ # %)
    Note: the checks are made against user property called SamAccountName which is visible on a user settings page. SamAccountName is constructed at the time of user creation and consists of the part of their UPN (primary email address) before the @ sign, plus "_" (underscore symbol) + Account name. Maximum size of SamAccountName is 20 characters. Account name may get truncated due to this limitation. You can look up SamAccountName by navigating to Users > click on user's name > click on Display name > See Domain \ User Name. SamAccountName and Full Name are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the SamAccountName or Full Name is split and each section is verified as not included in the password. There is no check for any individual character or any three characters in succession.

Custom Password Policy cannot be less complicated than the default one.

Important: If you utilize DirectoryLink service, you can only set up a custom password policy for the users in your own Active Directory.

You can set up a custom password policy for users on your Exchange account in CONTROL PANEL > Users > User Password Policies or CONTROL PANEL > Services > Compliance > Policies or CONTROL PANEL > Account > Security Policies > User Password Policies.

password policies

On this page, you can:

Restrict/allow users to change passwords

Force All Users to Change Password

Enable Custom Policy

Force password change or enable custom policy

Restrict/allow users to change passwords

By default, all users have the ability to reset/recover their password. If the user knows their current password it can be reset in My Services. Read the Knowledge Base article on How Do I Reset The Password For A Mailbox? Can I Reset The Password In OWA? for more information. If the user doesn't know their password it can be recovered through "Forgot your password" option. Read the Knowledge Base article on How Do I Recover My Mailbox Password? for instructions.

If you check Users cannot change password box and save changes it will result in following:

  • users will not have permissions to reset/recover their password
  • users will not be prompted to add an alternate email address of cell phone information when logging into My Services
  • users will not be getting emails about password expiring

Note: Policy setting Users cannot change password applies to all users. If you want to restrict specific user(s) to change the password it can be done on individual user's settings page. Read knowledge Base article on How Do I Manage User Password Settings for more information.

Force Password Change

You can force users to change the password on next logon. Here is what the user will see when trying to login to Outlook Web Access (OWA):

OWA notification

Here is how Outlook notification looks like:

Outlook notification

Once they receive a notification in Outlook, they will need to change the password by trying to login to OWA or to My Services Control Panel.

Custom Password Policy

You can specify the following settings:

  • minimum password length (min 8, max 127)
  • password expiration period (30, 60, 90, 180 and 365 days periods are available)
    Note: the first password expiration notification is sent 5 days before the expiration date.
  • password history
  • user lock

custom policy

If you enable password expiration you can check the expiration date for an individual user by navigating to CONTROL PANEL > Users > Click on Display Name of the user > Edit User Password Settings

Note: in the default password policy there is no password expiration.

If you choose to unlock the user Manually, they will receive the following notification once locked:


To unlock them go to CONTROL PANEL > Users > click on a user > click Unlock.