On-premises Exchange Server and Exchange Online have a default mobile device mailbox policy that does not require passwords on mobile devices.

mobile-best-practice-password

Furthermore, simple passwords such as “1234” are also allowed.

[PS] C:>Get-MobileDeviceMailboxPolicy | fl name,*password*


Name                         : Default
AlphanumericPasswordRequired : False
PasswordEnabled              : False
PasswordRecoveryEnabled      : False
AllowSimplePassword          : True
MinPasswordLength            :
MaxPasswordFailedAttempts    : Unlimited
PasswordExpiration           : Unlimited
PasswordHistory              : 0
MinPasswordComplexCharacters : 1

It is recommended to enforce PIN or password for mobile devices that are connecting to your Exchange mailboxes. In addition to enforcing a password, you should consider implementing a level of password complexity (e.g. increased length, use of alphanumeric characters) that balances the need for security with the need to keep end users happy, to reduce the likelihood of a PIN or password being guessed by brute force.

Note that you can assign different mobile device mailbox policies to different users in your organization. Often there is a request to relax security features for VIP users, such as executives, however those people are often the ones that should be protected by stronger password requirements. Other candidates for stronger password requirements are those who have access to sensitive information, and those who can approve financial transactions.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Andreas Theis

    Hello Paul
    thank you for this interesting post! I do not know if I reach you this way since the post and the comments are dated some years ago.
    Anyway, I try. In my company we can connect to Exchange Server Mailbox via our smart devices. If we do, we get the message that Exchange wants administrative privileges to – beside other things – set/reset the passwort for the screen on the mobile device if necessary. I fear that now we ran into such a situation. Do you know, where one can find what PIN or passwotd has been set to lock the screen on a mobile device? Our IT service team obviously does not know anything about it.
    I would be very happy if you get my question and I’m looking forward to reading a reply 🙂 Thank you very much in Advance
    Andreas – from Switzerland

  2. Nick

    Paul, first I want to say thank you…your blog posts have always been extremely informative and helpful to me and others.
    I was wondering…is there a way in Exchange 2016 on-premises to find out how many devices would comply with an ActiveSyncMailboxPolicy (and it’s related settings) before applying the policy? For example: If I have 100 users, each with 1-3 devices, and I want to set a policy that requires a four char. password, can I find out how many devices do not meet that requirement before applying the policy? Is there a way after applying the policy, without forcing the user to adhere to the policy?
    Thanks again, sir!

    1. Carlos S

      hi Nick,
      Did you ever find a way run a report like this? I’m in need of the same report.
      thanks again.

Leave a Reply