A friend uses Microsoft’s Exchange Online service for his small company. All was going well until one day he found himself locked out of his email. He had no idea why.
The reason, it turned out, was the password policy set by Microsoft and outlined here:
To help maintain security, you must periodically change your password. When you change your password, be aware of the following:
- You cannot repeat your previous 24 passwords.
- You must change your password at least once every 90 days.
In addition:
Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.
In this case, Microsoft’s PC sign-in applications prompted the user to change his password. He did so. All seemed well, except that his mobile – in which email settings are deeply buried – did not know about the password change and made repeated attempts to collect email. Result: lock-out, and a horrible user experience.
According to this thread, Microsoft has been so besieged with requests to remove the expiration policy that it solved them at a stroke: by refusing them all.
I find this curious. First, it is doubtful whether frequent password changes really enhance security. Users in this case need new non-repeating passwords every 90 days, which means they are more likely to be written down. Remember, you cannot repeat your previous 24 passwords.
Second, it is odd that BPOS admins do not have the ability to disable password expiration policies in their online management tools.
It may seem a small issue, but for some it is a deal-breaker:
At this moment it is not possible to disable password expiration at all. I opened a ticket and technical support told me multiple times they won’t offer that option anymore… It’s disappointing since I lose customers who choose Google Apps over Microsoft Online just because of the password issue.
Apparently this may be fixed in the forthcoming Office 365.
This issue with password lock out is a game changer for us. We have been using BPOS for over a year as we slowly migrate users over – we are all most there and now this problem has pleged a user for four weeks with no solution. We have swiched the user from mac to pc (due to elimate mac keychain password) we have wiped his iphone, and still the lock out happens. We are asking the user to go to his moble supplier and get a new phone, I don’t think that will solve it.
Then we will delete his account with BPOS and add him again and migrate him. Major pain on that one – user will be migrating from on premise Exchange 2003 and all mail since first migration will show up as unread. Not much help with MS – need to elevate but get limited access to Senior tech – often 1st level – who asks us to do steps we have already done 5 or 6 times. Close to punting.
The best would be if they give you the ablitiy to change your account setting on the five and lock formual
You can use the BPOS reset password to reset the user password back to the previous one and avoid the 90 day password expiration.
Use this in a text file with .ps1 and run in powershell.exe
$cred= get-credential
set-msonlineuserpassword -identity USEREMAIL@YOURDOMAIN -Password PASSWORD
-changepasswordonnextlogon $false -Credential $cred
Just run this once a month.
The only bad thing about this security wise is IT will need to know the users password to put in a script.
You can also use this command to reset the password to itself, if someone locked their email account because of a bad password, instead of waiting 15 minutes for it to unlock automatically.