Office 365 – Password Expiration Notifications in Outlook


The Microsoft Outlook team has released updates for Outlook 2010 and 2007 that provide Office 365 users with password expiration notifications. The advance password expiry notification will be displayed in a pop-up message (near the system clock) within a certain time period before their password actually expires. That time period is configurable by the tenant admin (see links below for more info). For users whose passwords have already expired, Outlook will flash an error message when users try to connect to their mailbox. In both scenarios, Outlook also provides a link (URL) to update passwords via the browser. When users click on those links, they are taken to the Microsoft Online Portal to change/update their passwords.

2745588 Outlook password expiration notification in Office 365

You can download the updates for Outlook 2010 and 2007 thru the following KB articles:

  • 2687351 Description of the Outlook 2010 hotfix package (Outlook-x-none.msp): August 28, 2012
  • 2687336 Description of the Outlook 2007 hotfix package (Outlook-x-none.msp): August 28, 2012

Note: In order to install these updates, you’ll need administrator permissions on the Windows computers. Please contact your Tenant Admin if you are not able to install the updates due to permissions issue. Also, in the coming months these updates are planned to be released via Microsoft Update.

Outlook User Experience Videos

The following video provides a quick one minute intro of the Outlook user experience. (Duration: 55 seconds, less than a minute)

The following video walks us through the Outlook user experience when update is installed and the password is about to expire. (Duration: 3 minutes & 23 seconds)

The following video walks us through the Outlook user experience when update is applied and the password has already expired. (Duration: 3 minutes & 37 seconds)

Frequency of password expiration notification

Early or advance password expiry notification (pop-up message near the system clock) will appear once every 24 hours on a user’s machine. If that same user is using Outlook on multiple machines, he will see the same behavior on all machines, as notifications are paired with the mail profile in Outlook.

Multiple Accounts in a profile

In a situation where a user has configured multiple Office 365 based Exchange accounts in a particular mail profile in Outlook, the user will receive individual notifications for those accounts at appropriate times. The number of simultaneous notifications will not be limited since this information is vital for Outlook users.

Outlook & Lync

If a user has both Outlook & Lync running at the same time connecting to an Office 365 account, he may see two separate notifications as both applications authenticate and connect separately to Office 365 Service and use independent features to display the appropriate notifications. Lync is dependent on the Microsoft Online Services Sign-In Assistant (‘MOS SIA’), while Outlook handles this scenario independently of MOS SIA.

Password Reset

These new updates do not provide any way to Outlook users to help in resetting their passwords, in case they have forgotten it. They’ll still need to follow the current guidelines for Office 365 users to recover their password.

Below are some topics of interest for Tenant Admins.

How to Set Password Policy Settings

Tenant Admins can use the available PowerShell commands to manage and set the Password Policy related settings. Those commands also allow you to set the time period for advance password expiry notifications that user may see in Outlook.

For help with those commands, see Windows PowerShell cmdlets for Office 365 (Refer to cmdlets: Set-MsolPasswordPolicy and Get-MsolPasswordPolicy)

The following KB article provides instructions with the help of an example on how you can use the PowerShell cmdlets to set the password policy parameters.

2723716 Error message when you run the Set-MsolPasswordPolicy cmdlet in Office 365: “Unable to complete this action”

Office 365 Managed Vs. Federated Users

Outlook mainly relies on the Windows system notification (managed by Active Directory & Domain Controller) for password expiry in the case of Federated users who are using domain joined machines. Outlook will display the password expiration notifications only for Federated users who are not using domain joined machines and are synchronizing their Active Directory info with Office 365 Identity management system..

For Federated users, if an organization has implemented a ‘Change Password’ workflow (by extending their logon page with a link to a FIM instance, for example), the OWA (Outlook Web App) link referred to by Outlook will allow the user to change their password by getting them to their AD FS based OWA logon page. If an organization doesn’t allow any password change flow from the outside/Internet, the user will need to utilize other available means (like calling their helpdesk, use VPN or a domain joined machine, etc.) to change his password, in accordance with their organization’s policy.

For more info on configuring access to Outlook Web App, see Configure Sign-In URLs for Outlook Web App

Allie Bellew (Outlook Team)
Gabe Bratton, Amir Haque (Supportability Team)


Comments (12)
  1. markus says:

    Hi Folks,

    great feature, but why is this not available for on premise implementations ?

    We are facing this "issue" now over ten years and would appreciate if we could use this feature also.

    Regards

    Markus

  2. alex says:

    Hi folks,

    I totally agree with Markus.

    It would be great if you may implement this feature fpr on-premises installations!

    Regards

    Alex

  3. morser says:

    Having this for on premise would be great.

  4. Chris says:

    Shame nothing issued for Outlook 2011 for Mac.

  5. Amir Haque [MSFT] says:

    @ Markus, Alex & Morser:

    Thanks for your comments. When Outlook connects to Exchange Online servers in Office 365, Exchange talks to Identity Management Service (think of it as the Windows Domain Controller in on-prem) to authenticate that Outlook client before it lets it connect to a mailbox (similar to DSProxy process in on-prem scenario). Outlook does not talk directly to Identity Service, rather Exchange facilitates the authentication process. Identity Service stores credential information for all 'managed' users of Office 365, the ones who have no on-prem servers, Exchange or Windows DC, etc. Now for this scenario, Identity Service provides two pieces of info around users' credentials to Exchange when it authenticates Outlook users, i.e. number of days remaining before user's password actually expires (this notification period is configurable by Tenant Admins) & if the password has already expired. This info is then relayed to Outlook by Exchange & Outlook displays appropriate warning/error to its user. This happens when Outlook tries to connect to Exchange using any of the protocols it commonly uses, i.e. MAPI (for mailbox connectivity), EWS (autodiscover, free/busy, OOF, etc.), etc. or even when it's already connected to Exchange. This whole process works differently for on-prem Outlook clients, where classically a Windows Domain Controller is actually responsible for credentials/password maintenance and it works with the underlying Windows OS (domain joined user machines) to surface these warnings. Outlook do still get a warning from Exchange when there is a need to re-authenticate for any reason, and users see an authentication prompt which translates into the 'Need Password' state which Outlook goes into at that time. If you have a business need for this feature in on-prem space especially when Outlook is being used on machines that are not domain joined, please do let us know thru the available support channels (1-800-Microsoft) and we can pursue that with product group, of course with no guarantees :) …

    @ Chris:

    We're working on resolving this issue for Mac Outlook as well, we'll share more info when it's ready. :)

  6. markus says:

    Dear readers,

    pls contact your microsoft accounts to get more attention on this feature.

    So we can get an design change request given to the product group.

    Thx in advance to all.

    Regards

    Markus

  7. Richard says:

    Ran in to this foolish Microsoft policy on my company's Office 365 account recently.

    I am the sysadmin. I set policy, not Microsoft. This inane security ploy and the attendant extra work it causes me, as mobile devices fail to retrieve emai, is causing me to rethink O365. I am seriously considering switching to Google Apps for Business as a consequence.

  8. Amir Haque [MSFT] says:

    @ Richard: I totally hear you & understand the pain dealing with this issue. We are also working to address this issue for mobile device users, will share more details at an appropriate time in future.

  9. TAK5 says:

    Hi Folks,

    >Outlook will display the password expiration notifications only for Federated users

    Is it true?

  10. TAK5 says:

    Resend….

    Hi Folks,

    >Outlook will display the password expiration notifications only for Federated users

    Is it true?

    In my lab, any notification isn't showed up…

  11. alex says:

    Hi Team,

    From what I've tested, this notification only display password expiry alert within 14 days, even I set notification days and ValidityPeriod to like 30 days.

    Even the alert shows in Office 365 portal (or Sign In Assist) that the password will expire in 30 days, Outlook client will not show such notification prompt only when the password expiry days drops within 14 days.

    Is this the expected behavior?

    Alex

  12. christina says:

    This was a great article and easy for a thirteen year old like me to understand. However what do I do if I let my password expire??? How do I get back on???

Comments are closed.

Skip to main content