Deploy a Delayed Password Policy Change with Email Notifications using Intune Compliance Settings
Compliance policies define rules and settings, such as password or encryption requirements, that users and devices must meet to be “compliant”. They can be combined with conditional access to block users and devices that don’t meet those set of rules.
Common examples include:
- End users must use a password to access organizational data on mobile devices
- The device can’t be jail-broken or rooted
- A minimum or maximum operating system version is required for the device
- The device to be at, or under a threat level (based on a 3rd party risk assessment like an antivirus scan)
For our scenario, we’ll be going over how to deploy a delayed password policy change with email notifications. Essentially we want to notify our users that their current password is not compliant but give them a week before they are forced to change it. That way, on Monday morning our users will receive a friendly email instead of all being locked out of their devices.
Setting up the Email Notification
Head over to the new Microsoft 365 Device Management portal (https://devicemanagement.microsoft.com). You can also go to the Intune pane within the Azure Portal to access the same settings. On the left hand side you’ll see a blade called Device Compliance.
Click on Device compliance > then Notifications > and then Create Notification.
It’s important to remember that the notifications can be reused an unlimited amount of times for an unlimited amount of compliance policies. I personally like to separate them out but if you want to go for a generic “You’re out of compliance” email, that works too.
In the Create notification pane, you’ll need to type in the Name, Subject, and Message of the email that will be automatically sent. You can also include your company logo, company name, and contact information from your Azure Active Directory Company Branding (stay tuned for a future post on setting up branding!).
For our scenarios we’ll configure the following:
Name: Password Compliance
Subject: ACTION REQUIRED – Password Compliance
As part of our Information Security Program, we are increasing password strength requirements for all accounts. Your password is currently non-compliant. After May 10, all passwords must comply with the new policy requirements:
Minimum 10 characters (was eight characters)
Passwords expire every 90 days (was six months)
Password Reuse: Must be unique from previous 10 passwords
Complex passwords must contain one each:
Upper case letter
Lower case letter
Your Actions to be taken:
On Friday May 10, after 10AM, when you login to your computer, you will be required to comply with the new password policy. Any password not in compliance will trigger a prompt to immediately change your password.
To avoid this interruption on May 9, you can manually reset your password at any time by pressing “Ctrl”+”Alt”+”Del” and selecting “Change Your Password.” Be sure you follow the minimum password requirements listed in this Change Notification email.
Unfortunately, you do not have any options for formatting, boldness, or italics – so have some fun with your wording!
Hit Create at the bottom to finish creating the notification email.
Creating the Compliance Policy
Back in the Device Compliance overview dashboard, head over to Manage > Policies > Create Policy.
This is where we will write the rules of compliance for your particular policy. We’ll name this one “Password Compliance” and choose the Windows 10 and Later platform.
Under System Security is where all the password policies live. Here we’ll configure the following settings (leaving everything else default):
After we’re done configuring the settings, we’ll go into Actions for noncompliance under settings.
There is already an action in this pane called “Mark device noncompliant”. You CANNOT delete this action. However, we will need to change this to schedule 7 days in advance. Since a password compliance policy requires immediate action once it’s noncompliant, we’ll want to change the schedule from 0 to 7 days to give the end users a week before action needs to take place.
Now we’ll click Add to create another action with the email notification. Click on Message Template and choose the notification template we just created.
Once we have all of the actions completed it will look like:
Like before, click Create to complete the policy. Make sure to go back to the policy and assign it to “All users” or whichever group you want to test it out on.
End User Experience
When a user with a non-compliant password signs in, they will immediately get a notification from Microsoft Intune Notification with your email message:
That’s it! You now have a fully functional email notification service that allows you to notify users that their password is noncompliant but give them a week to change it. This method works with any compliance policy as well so the sky is the limit!