Take away the possibility for users in Exchange Online to change their own password


Got a question today if it is possible to prevent a user from changing his or her own password when using Exchange Online, within Office 365.

The answer is Yes Smile And how to do this? Find one way of doing this in this blog post, using (what did you expect?) the magic of PowerShell.

Setting the scene

I want to create a new user id, called Test, in my Office 365 environment, and have the following password characteristics:

– Password should never expire

– Password should not need to be changed at first logon of the user

– Password can not be changed by the user, using OWA.

Step 1. Create the user

Using the  Office 365 admin portal, I’m creating my new user:

SNAG-01046

Step 2. Changing Password Settings

I do not want my user to sign in with that temporary password, so by using the Microsoft Online Service Module for Windows PowerShell, I change the password to the one I want, and I set it to never expire, and I disable the fact that the user will need to change the password at the first logon.

To set the password to never expire, I’m using the cmdlet Set-MsOlUser and adding PasswordNeverExpires, and setting it to $True.

To set the password to a predefined value, I use the cmdlet Set-MsOlUserPassword, and add the new password using NewPassword (be aware, you need to identify the password in clear text here, no need to encrypt it first), and then by adding the ForceChangePassword and setting it to $False, the user won’t be prompted to change it after his first login!

SNAG-01034

Signing in, the user needs to enter his password I have given the user, and can sign in:

SNAG-01035

But the user is still able to go to OWA, select Options, and from there change his password.

SNAG-01036

When searching the web, it is possible in an Exchange On Premises environment to disable the Change your password functionality from within OWA/ECP:

But the cmdlet Set-OwaVirtualDirectory and its parameter ChangePasswordEnabled, is not available in Exchange Online!

How to do this in Exchange Online? Using RBAC!

As described in one of my previous blog posts (Exchange Online (Office365) and RBAC?), you can create and assign custom roles in Exchange Online. The permission to change your password, is included in the default role assigned to any mail-enabled user in Exchange Online. It is included in the role MyBaseOptions.

First I will create a new role AllButChangePassword, and make it a copy of the existing MyBaseOptions role.

SNAG-01038

Looking at the parameters that can be set using Set-Mailbox within the role AllButChange Password, it is visible that password is included:

SNAG-01039

Time to remove it:

SNAG-01040

And then to create a new RoleAssignmentPolicy, which will include the AllButChangePassword:

SNAG-01041

SNAG-01042

Then assign the new role to my test user:

SNAG-01043

And time to test!

Logging in to OWA as test user, going back to ECP, the ability to change the password is gone!

SNAG-01045

Exchange ROCKS!

 

Ilse


Comments (11)

  1. nobbynic says:

    worked like a charm thank you!

  2. Anonymous says:

    Thanks for this tip. This work for exchange but once you log into O365 you can still change your password via the My profile link despite having done the above. how can we fix that?

  3. Christian says:

    Any news on whether it's possible to prevent users from changing their pasword via the My Profile link too please?

  4. Nzeg says:

    Ok in exchange but in “Office 365 settings” tab how prevent users from changing their password?

  5. Alfredo Cartagena says:

    aredubbya512, christian, and Nzeg,
    it really depends on your set up…if you have your ad and the online ad syncing, then you select “cant change password” on the on site AD…sync the users and then that user wont be able to change their password on the online side.

  6. Erwin Rommel says:

    I’m getting the error below:

    The term ‘New-ManagementRole’ is not recognized as the name of a cmdlet, function, script file, or operable program. Ch
    eck the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:23
    + New-ManagementRole <<<< -Name AllButChangePassword -Parent MyBaseOptions
    + CategoryInfo : ObjectNotFound: (New-ManagementRole:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    What should be the permission of the credential I’m using.

  7. daburo says:

    I follow step by step and it doesn’t work, is there something new that prevents it?

  8. Darach says:

    The Password Reset from withing Office 365 settings in OWA is managed by
    https://account.activedirectory.windowsazure.com/Profile/Default.aspx and not frm the RoleGroups above.

    If you want to turn off the ability for Self Service Password Resets from the
    http://portal.office.com you can use the following PowerShell: Set-MsolCompanySettings -SelfServePasswordResetEnabled 0 -TenantId "", 0 disables, 1 enables. When a Users attempts a password reset from the login – they will get a denial with a link that
    will contact the Tenant Admin for a reset.

  9. Despistao says:

    nobbynic, Did it work on Office 365?
    Darach, how can we accomplish it for just a few users? Not for the entire organization. Take away the possibility for SOME users in Office 365 to change their own password. The previous steps don’t do the trick for the "Office 365 settings" on the user.

  10. Carlos says:

    Doesn’t work. I did that step by step and the Change Password Option is available yet for this user

  11. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application