The Microsoft Outlook team has released updates for Outlook 2010 and 2007 that provide Office 365 users with password expiration notifications. The advance password expiry notification will be displayed in a pop-up message (near the system clock) within a certain time period before their password actually expires. That time period is configurable by the tenant admin (see links below for more info). For users whose passwords have already expired, Outlook will flash an error message when users try to connect to their mailbox. In both scenarios, Outlook also provides a link (URL) to update passwords via the browser. When users click on those links, they are taken to the Microsoft Online Portal to change/update their passwords.

2745588 Outlook password expiration notification in Office 365

You can download the updates for Outlook 2010 and 2007 thru the following KB articles:

  • 2687351 Description of the Outlook 2010 hotfix package (Outlook-x-none.msp): August 28, 2012
  • 2687336 Description of the Outlook 2007 hotfix package (Outlook-x-none.msp): August 28, 2012

Note: In order to install these updates, you’ll need administrator permissions on the Windows computers. Please contact your Tenant Admin if you are not able to install the updates due to permissions issue. Also, in the coming months these updates are planned to be released via Microsoft Update.

Outlook User Experience Videos

The following video provides a quick one minute intro of the Outlook user experience. (Duration: 55 seconds, less than a minute)

The following video walks us through the Outlook user experience when update is installed and the password is about to expire. (Duration: 3 minutes & 23 seconds)

The following video walks us through the Outlook user experience when update is applied and the password has already expired. (Duration: 3 minutes & 37 seconds)

Frequency of password expiration notification

Early or advance password expiry notification (pop-up message near the system clock) will appear once every 24 hours on a user’s machine. If that same user is using Outlook on multiple machines, he will see the same behavior on all machines, as notifications are paired with the mail profile in Outlook.

Multiple Accounts in a profile

In a situation where a user has configured multiple Office 365 based Exchange accounts in a particular mail profile in Outlook, the user will receive individual notifications for those accounts at appropriate times. The number of simultaneous notifications will not be limited since this information is vital for Outlook users.

Outlook & Lync

If a user has both Outlook & Lync running at the same time connecting to an Office 365 account, he may see two separate notifications as both applications authenticate and connect separately to Office 365 Service and use independent features to display the appropriate notifications. Lync is dependent on the Microsoft Online Services Sign-In Assistant (‘MOS SIA’), while Outlook handles this scenario independently of MOS SIA.

Password Reset

These new updates do not provide any way to Outlook users to help in resetting their passwords, in case they have forgotten it. They’ll still need to follow the current guidelines for Office 365 users to recover their password.

Below are some topics of interest for Tenant Admins.

How to Set Password Policy Settings

Tenant Admins can use the available PowerShell commands to manage and set the Password Policy related settings. Those commands also allow you to set the time period for advance password expiry notifications that user may see in Outlook.

For help with those commands, see Windows PowerShell cmdlets for Office 365 (Refer to cmdlets: Set-MsolPasswordPolicy and Get-MsolPasswordPolicy)

The following KB article provides instructions with the help of an example on how you can use the PowerShell cmdlets to set the password policy parameters.

2723716 Error message when you run the Set-MsolPasswordPolicy cmdlet in Office 365: "Unable to complete this action"

Office 365 Managed Vs. Federated Users

Outlook mainly relies on the Windows system notification (managed by Active Directory & Domain Controller) for password expiry in the case of Federated users who are using domain joined machines. Outlook will display the password expiration notifications only for Federated users who are not using domain joined machines and are synchronizing their Active Directory info with Office 365 Identity management system..

For Federated users, if an organization has implemented a ‘Change Password’ workflow (by extending their logon page with a link to a FIM instance, for example), the OWA (Outlook Web App) link referred to by Outlook will allow the user to change their password by getting them to their AD FS based OWA logon page. If an organization doesn’t allow any password change flow from the outside/Internet, the user will need to utilize other available means (like calling their helpdesk, use VPN or a domain joined machine, etc.) to change his password, in accordance with their organization’s policy.

For more info on configuring access to Outlook Web App, see Configure Sign-In URLs for Outlook Web App

Allie Bellew (Outlook Team)
Gabe Bratton, Amir Haque (Supportability Team)