User credentials

Question

User credentials

IT_RACK5500 21

Hi,

We have always been going with static password and never changed a user's password. I know this is one of the most wrong and dangerous practice but this is how the management wanted it to be. Now we got the go ahead to change the password every 2 months.

We also keep the passwords for all the users so that we can log in as the user when need be to troubleshoot.

My questions are as follows:

(1)If we allow the user to change the password, how can we log in as the user to trouble shoot?

(2)Is it legal to keep the users credentials ?

Just wanted to add that we are using Exchange

Thanks

Tazio

Kai Yao 37,791 Reputation points Moderator

2021-08-02T01:46:40.603+00:00

Hi Tazio,

Agree with Andy, this question doesn't have much to do with Exchange.

For security reasons, please consider using multi-factor authentication as Andy suggested.

(1)If we allow the user to change the password, how can we log in as the user to trouble shoot?

Is there a detailed scenario?
If you would like to log in as the user, you may assign full access permission to another mailbox which is used for management.
Please refer to this link: Manage permissions for recipients
Kai Yao 37,791 Reputation points Moderator

2021-08-05T07:24:03.79+00:00

Hi @IT_RACK5500

I am writing here to confirm with you how thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

Answer accepted by question author

Andy David - MVP 160.3K MVP Volunteer Moderator

Not ever changing a user's password is not an issue. And changing the password every two months doesn't protect you.
Not using multi-factor authentication is a problem and should be where your focus should be:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

If you aren't using Azure, consider a hybrid solution with Azure or a third party solution

This isnt really an Exchange issue however.

There is absolutely no reason to keep any user credentials. Has nothing to do with legality, there is simply no reason to do this.
If you need to troubleshoot a users mailbox, an admin can give yourself permission to it:

https://support.microsoft.com/en-us/topic/how-to-grant-exchange-and-outlook-mailbox-permissions-in-office-365-dedicated-bac01b2c-08ff-2eac-e1c8-6dd01cf77287#bkmk_1

Personally, I would never work for a company that required me to provide my password to them.

0 comments

1 additional answer

Your answer

Kai Yao 37,791 Reputation points Moderator

2021-08-02T01:46:40.603+00:00

Hi Tazio,

Agree with Andy, this question doesn't have much to do with Exchange.

For security reasons, please consider using multi-factor authentication as Andy suggested.

(1)If we allow the user to change the password, how can we log in as the user to trouble shoot?

Is there a detailed scenario?
If you would like to log in as the user, you may assign full access permission to another mailbox which is used for management.
Please refer to this link: Manage permissions for recipients
Kai Yao 37,791 Reputation points Moderator

2021-08-05T07:24:03.79+00:00

Hi @IT_RACK5500

I am writing here to confirm with you how thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

Answer 1

IT_RACK5500 21

Thanks a lot for your answers

Tazio

0 comments

Share via

User credentials

1 additional answer

Your answer