Custom password policy allows you to change minimum password length, password history, set lockout and expiration rules.

By default password should consist of at least 8 characters. Passwords must not contain username. Password can't include username as its part. Last 4 passwords can't be reused. Password must contain characters from 3 of the following categories:

  • English uppercase characters (A-Z)
  • English lowercase characters (a-z)
  • Numbers (0-9)
  • Special characters (e.g., ! $ # %)

Custom Password Policy cannot be less complicated than the default one.

Important: If you utilize DirectoryLink service, you can only set up a custom password policy for the users in your own Active Directory.

You can set up a custom password policy for users on your Exchange account in CONTROL PANEL > Users > User Password Policies or CONTROL PANEL > Services > Compliance > Policies or CONTROL PANEL > Account > Security Policies > User Password Policies.

password policies

On this page, you can:

Restrict/allow users to change passwords

Force All Users to Change Password

Enable Custom Policy

Force password change or enable custom policy

Restrict/allow users to change passwords

By default, all users have the ability to reset/recover their password. If the user knows their current password it can be reset in My Services. Read the Knowledge Base article on How Do I Reset The Password For A Mailbox? Can I Reset The Password In OWA? for more information. If the user doesn't know their password it can be recovered through "Forgot your password" option. Read the Knowledge Base article on How Do I Recover My Mailbox Password? for instructions.

If you check Users cannot change password box and save changes it will result in following:

  • users will not have permissions to reset/recover their password
  • users will not be prompted to add an alternate email address of cell phone information when logging into My Services
  • users will not be getting emails about password expiring

Note: Policy setting Users cannot change password applies to all users. If you want to restrict specific user(s) to change the password it can be done on individual user's settings page. Read knowledge Base article on How Do I Manage User Password Settings for more information.

Force Password Change

You can force users to change the password on next logon. Here is what the user will see when trying to login to Outlook Web Access (OWA):

OWA notification

Here is how Outlook notification looks like:

Outlook notification

Once they receive a notification in Outlook, they will need to change the password by trying to login to OWA or to My Services Control Panel.

Custom Password Policy

You can specify the following settings:

  • minimum password length (min 8, max 127)
  • password expiration period (30, 60, 90, 180 and 365 days periods are available)
    Note: the first password expiration notification is sent 5 days before the expiration date.
  • password history
  • user lock

custom policy

If you enable password expiration you can check expiration date for individual user by navigating to CONTROL PANEL > Users > Click on Display Name of the user > Edit User Password Settings

If you choose to unlock the user Manually, they will receive the following notification once locked:


To unlock them go to CONTROL PANEL > Users > click on a user > click Unlock.