What do you think about the email that goes out when a new user is created in 365?

Question

When I create a new user in our 365 tenant I can put in my own account and/or another use to get the email about the new account creation. This email has that new users account credentials in it in plain text. This seems to be just a bit of a security no-no, but then, if it is, why does Microsoft do it? Am I missing something or is the 365 encryption of email good enough to make this confidently secure?

Secondly, if you don't think this is not secure enough then what do you use to communicate the new password to the new user? I know verbally is best, but very inconvenient. Also, I would have them change it upon first use anyway.

Finally, what options do your organizations use to communicate a new user password, 365 or not? Text, Email, Phone call, Teams...?

Answer 1

It is a common practice for ease of use, but as everything, it has it's flaws. Something so simple as a typo could reveal the credentials to an unintended user.

We don't communicate passwords over the network. In fact, we don't even know the first password for a new user. We register the users recovery information, and they have to do Self Service Password Reset to set their own.