By configuring settings in Workspace ONE Access, you can provide users the ability to change their Active Directory passwords from the Workspace ONE Intelligent Hub app or portal whenever they want to. Users can also reset their Active Directory passwords from the login page if the password has expired or if the Active Directory administrator has reset the password, forcing the user to change the password at the next login.

You set this option per directory, by selecting the Allow Change Password option in the directory's settings page.

Users can change their passwords when they are logged into Intelligent Hub from a browser by clicking their name in the top-right corner, selecting Account from the drop-down menu, and clicking the Change Password link. In the Intelligent Hub app, users can change their passwords by clicking the triple-bar menu icon and selecting Password.

Expired passwords or passwords reset by the administrator in Active Directory can be changed from the login page. When a user tries to log in with an expired password, the user is prompted to reset the password. The user must enter the old password as well as the new password.

The Active Directory password policy determines the requirements for the new password. The number of tries allowed also depends on the Active Directory password policy.

Note: If the Workspace ONE Access connector is running in FIPS mode, additional requirements apply to passwords. See Workspace ONE Access Connector and FIPS Mode for your version of the connector.

The following limitations apply to the Allow Change Password option.

  • When a directory is added to VMware Workspace ONE Access as a Global Catalog, the Allow Change Password option is not available. You can add the directory as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.
  • The password of a Bind DN user cannot be reset from VMware Workspace ONE Access, even if it expires or the Active Directory administrator resets it.

    Using a Bind DN user account with a non-expiring password is recommended.

  • Passwords of users whose login names consist of multibyte characters (non-ASCII characters) cannot be reset from VMware Workspace ONE Access.
Note: The Allow Change Password option cannot be selected for ACC directories.


  • The domain functional level of the Active Directory domain controllers must be set to Windows 2008 or later.
  • Port 464 must be open from the Directory Sync service to the domain controllers.
  • The Active Directory must use one of the following UPN formats:
    • Regular UPN format: samaccountname@domain
    • Alternative UPN prefix format: alternativePrefix@domain
    • Alternative UPN suffix format: samaccountname@alternativeSuffix

    The UPN format of alternativePrefix@alternativeSuffix is not supported.

  • Clocks on the Directory Sync service host and the domain controllers must be synchronized.


  1. In the Workspace ONE Access console, select Integrations > Directories.
  2. Click the directory you want to configure.
  3. In the Allow Change Password section, select the Enable Change Password check box.
  4. Enter the Bind DN password in the Bind User Details section, and click Save.