To totally unlock this section you need to Log-in
Login
Got a question today if it is possible to prevent a user from changing his or her own password when using Exchange Online, within Office 365.
The answer is Yes Smile And how to do this? Find one way of doing this in this blog post, using (what did you expect?) the magic of PowerShell.
Setting the scene
You want to create a new user id, called Test, in your own Office 365 production environment, and have the following password characteristics:
- Password should never expire
- Password should not need to be changed at first logon of the user
- Password can not be changed by the user, using OWA.
Step 1 - Create the user
Using the Office 365 admin portal, let's create a new user (basically we're creating a new user in Windows Azure AD):
Step 2 - Changing Password Settings
We do not want my user to sign in with that temporary password, so by using the Microsoft Online Service Module for Windows PowerShell, we change the password to the one we want, and we set it to never expire, and we disable the fact that the user will need to change the password at the first logon.
To set the password to never expire, we're using the cmdlet Set-MsOlUser and adding PasswordNeverExpires, and setting it to $True.
To set the password to a predefined value, we use the cmdlet Set-MsOlUserPassword, and add the new password using NewPassword (be aware, you need to identify the password in clear text here, no need to encrypt it first), and then by adding the ForceChangePassword and setting it to $False, the user won’t be prompted to change it after his first login!
Signing in, the user needs to enter his password we have given the user, and can sign in:
But the user is still able to go to OWA, select Options, and from there change his password.
How to do this in Exchange Online? Using RBAC!
You can create and assign custom roles in Exchange Online. The permission to change your password, is included in the default role assigned to any mail-enabled user in Exchange Online. It is included in the role MyBaseOptions.
First we will create a new role AllButChangePassword, and make it a copy of the existing MyBaseOptions role.
Looking at the parameters that can be set using Set-Mailbox within the role AllButChangePassword, it is visible that password is included:
Time to remove it:
And then to create a new RoleAssignmentPolicy, which will include the AllButChangePassword:
Then assign the new role to our test user:
And time to test! Logging in to OWA as test user, going back to ECP, the ability to change the password is gone!
Disable Change Password in Exchange 2013 OWA
There is security team compliance requirement where they want to prevent a user from changing his or her own password when using Exchange 2013 OWA.
By default you can able to change the password on logging into Exchange 2013 OWA – Option – Change Password.
To disable it perform run the below shell command, in Powershell, and the Change Password will get disappeared from the OWA:
Set-OwaVirtualDirectory -Identity-ChangePasswordEnabled $false
Set-OwaMailboxPolicy -Identity default -ChangePasswordEnabled $false
Set-CASMailbox-OwaMailboxPolicy Default