Disable user's ability to change password (via cloud/portals)
We need to disable a user's ability to change their password. We need to manage password changes in our own application.
NOTE: I am not referring to password resets (which we can easily disable). Rather I'm talking about preventing users from changing their password via a Microsoft portal when they know their existing password.
We are looking for an equivalent of the (non Azure) AD powershell command Set-ADUser -CannotChangePassword.
Hi folks! I apologies for the delay in response and I deeply appreciate your feedback. I understand how important this feature is for your and your users. We do not yet have plans to implement this feature, but please keep voting if this is important to you to help us prioritize appropriately.
Pretty disappointing there is no plan to implement this still.
Azure AD is already fairly inconsistent with features and lacking in key areas as a general SAML IDP / OAuth Server compared to most competitors. From the last response it sounds like there's still no plan to prevent a cloud only account from changing a password, which should be a basic feature especially when it can be done with on-prem AD.
The more we use Azure AD, the more I grow to dislike it.
Derek McMillan commented
I completely agree with this, the issues I can forsee with the current password reset feature is that someone other than the user would also have the ability to reset the password. This could mean that a compromised email account could occur and as we have seen throughout our work with clients the people infiltrating the account could then create rules within OWA to forward mail to a third party and further rules are created to hide the mail from the user. It could also allow someone to compromise a mailbox and set rules to send spam.
This feature needs to be turned off urgently and allow admins to control password resets, rather than allowing a self service scenario to take place.
Jag Bagri commented
We want to be able to prevent Users from changing outlook password.
Our users are still able to change their password in outlook online when they know their existing password even though the settings are set to NOT enabling this in Azur-AD. This causes problems as the AD password now differs from the email password that generates many unnecessary calls. I, as an Admin, should be able to make this choice if we want our users to be able to change this password or not.
We would be very much happy to have such feature enabled as admins.
Steven Hillaby commented
Please implement this, would be very useful to have the ability to change this, we have a few clients that have requested this, still no update from Microsoft.
Williamson, Lisa commented
This request is now going on 6 years, when will this be on the road map?
Kirsten W. commented
As Keith said - this is 100% needed and silly it does not exist already
VICTOR MANUEL FERRANDO GARCIA commented
We would like this as we use a centralized, event driven, identity system and we command the password changes via Microsoft Graph. We want users to change their passwords with our own Self Service portal to keep things consistent instead of cloud/portals.
Keith Chisarik commented
I agree 100% this is needed and silly it does not exist already
Louis Galinou commented
Please this is a huge security risk for us... People who are locked out of their accounts should not be able to access the accounts so easily...
Tony LeGrange commented
Yes, this would be nice.
Sistemi Informativi commented
We need this feature as well. Thank you.
A feature should be added to disable the request to update the password for users when they log in for the first time to those accounts. The reason I am talking about student accounts in schools is that they will not be able to reset a strong password because many of them do not know how to do that? !! The other reason is more Requests for assistance in resetting passwords for users.
We can't move from on-prem AD until this feature is implemented.
Yes, we want most of our users to be able to change their password. But we have some unique circumstances, such as the public checking out a laptop or tablet from our library, and they need a generic username to login to the desktop.
We might use this generic username across many devices, so we don't want users to be able to change the password. Otherwise, if one user changes the password, it will lock out all the other users out of logging into their laptops.
Dharmesh J Desai commented
Christian Nilsson commented
This is causing a support pain since passwords are not synced back to our on premise AD (and we don't want it to either)
Pure stupidity that this exists in the first place on a AD synced account.
Naveen Marat commented
This is really an important feature for my tenants ( Myself handling 4 different tenants for different domains for my company and sister companies).I strongly believe,this is an important one for many other tenants too and its really disappointing that Microsoft did not facilitate this option.
If you've not done this in two years, no one is going to 'keep voting' as they will have already realised you lot plan to do nothing about this. Some honestly would be refreshing. You want people to sync their Azure AD with an on-prem AD so that extra features like this can be used in the on-prem AD, which filter back to Azure AD, even though those controls don't feature in Azure AD.
No one is falling for your encouraging comments M$.
Riaz Javed commented
This is a big flaw of Azure SSPR. We need to have the ability to pilot this functionality for password change. When we can have this functionality.
We have a centralize password reset mechanism in place that has an automation workflow behind it which sets the new password in a number of systems giving a user a single set of credentials to remember (which is a security plus since they can store a single password in their brain instead of on their computer) - problem is, online portals such as Office 365 make them change their password outside of our centralized password reset mechanism, this is a huge problem because now we can't tell them to login with their single password to all systems, because when it doesn't work because they changed it via an online portal, they will say we gave them wrong instructions. Why is this taking so long? It should be a basic thing that has existed in the AD for ages.