On-premises Exchange Server and Exchange Online have a default mobile device mailbox policy that does not require passwords on mobile devices.
Furthermore, simple passwords such as “1234” are also allowed.
[PS] C:>Get-MobileDeviceMailboxPolicy | fl name,*password* Name : Default AlphanumericPasswordRequired : False PasswordEnabled : False PasswordRecoveryEnabled : False AllowSimplePassword : True MinPasswordLength : MaxPasswordFailedAttempts : Unlimited PasswordExpiration : Unlimited PasswordHistory : 0 MinPasswordComplexCharacters : 1
It is recommended to enforce PIN or password for mobile devices that are connecting to your Exchange mailboxes. In addition to enforcing a password, you should consider implementing a level of password complexity (e.g. increased length, use of alphanumeric characters) that balances the need for security with the need to keep end users happy, to reduce the likelihood of a PIN or password being guessed by brute force.
Note that you can assign different mobile device mailbox policies to different users in your organization. Often there is a request to relax security features for VIP users, such as executives, however those people are often the ones that should be protected by stronger password requirements. Other candidates for stronger password requirements are those who have access to sensitive information, and those who can approve financial transactions.