UniFi Identity Enterprise - Password Policy and Rule


  • A password is a string of characters used to authenticate a user's identity. Password authenticator is enabled by default.
  • Administrators can customize password policies and associated rules to enforce password settings at the group, role, or user level.
  • Identity Enterprise provides a default password policy that requires users to use strong passwords to better protect their workspace assets.
  • Administrators can add multiple policies and rules and prioritize them. A policy and rule with a higher priority take precedence over those with a lower priority.

Note: If AD/LDAP Delegated Authentication is enabled, then users' passwords are managed by the AD/LDAP server and will not be controlled by UniFi Identity Enterprise password policies.

Default Password Policy

Default Password Policy requires the passwords of all workspace users to meet the following requirements:

  • Must contain at least one lowercase letter, one uppercase letter, and one number.
  • Cannot contain part of the user's email.

This policy also allows users to change and reset their passwords and unlock their accounts through self-service.


  • The Default Password Policy cannot be deleted or disabled. Only the Settings section can be edited.
  • The Default Rule in the Default Password Policy cannot be edited, deleted, or disabled.

Password Policy Evaluation

A password policy evaluates a user's password based on the following criteria:

  • Evaluate whether a new password is valid:
    • Password Complexity
    • Minimum password length
    • Enforce password history
  • Evaluate whether the last password change is valid:
    • Minimum password age
    • Password expires
  • Evaluate whether an account should be locked
    • Account lockout threshold
  • Evaluate whether an account can be recovered when it is locked:
    • Account recovery optional
    • Account unlocked automatically
    • Recovery emails are valid for

Create a Password Policy

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Go to Security > Identity Firewall > Policy > Password and click + Password Policy.
  3. Enter the following information:
    • Policy Name: Enter a name for the policy.
    • Description: Enter a description for the policy.
    • Applied Users: Click Add User, select the users, groups, and roles that this policy will apply to, and click Add.
      • Users: This policy only applies to the selected users. Input the user’s name in the search box.
      • Groups: This policy only applies to the selected groups.
      • Roles: This policy only applies to the selected roles.
  4. Configure the following policy settings:
    • Password Complexity: Select a preset rule or select "Custom" to customize the requirements.
    • Minimum password length: Set minimum password length to at least 8 characters.
    • Enforce password history: Set the number of unique new passwords that must be associated with a user account before an old password can be reused.
    • Minimum password age: Set the period of time that a password must be used before the user can change it.
    • Password expires: Set how long a password can be used before the user is required to change it.
      • Prompt user 7 days before password expires: Set whether to notify the user 7 days before their password expires.
    • Account lockout threshold: Set the number of failed sign-in attempts that will cause a user account to be locked. "5 attempts" is set by default.
      • Prompt user account is locked: Set whether the user is notified when their account is locked. If this checkbox is unticked, a “Sign in failed” prompt will be displayed when the account is locked.
      • Send lockout email to user: Set whether the user will receive an account-locked notification email when their account is locked.
    • Account recovery optional: Once the "Security Phone" checkbox is ticked and the following prerequisites are met, users can use the SMS verification method to recover or unlock accounts if they forget their passwords or want to unlock the accounts by themself.
      • Prerequisites:
        • Administrators have enabled SMS authentication for the workspace.
        • Users have set up SMS authentication.
  • Account unlocked automatically: Set after how long will a locked user account be automatically unlocked. If an account was locked before this setting was set, the account will not be automatically unlocked.
  • Recovery emails are valid for: Set the valid period of the link in the recovery email for password reset or account unlock.
  1. Click Save.
  2. Verify your account with an MFA method.

Create a Password Policy Rule

  1. Do either of the following:

    • Create a new policy and rule: You'll be prompted to create a rule after a policy is created.
    • Create a rule in an existing policy: Go to Security > Identity Firewall > Policy > Password, click an existing policy, and go to Rules > Create.
  2. Enter the Rule Name and tick "Enable this rule" to enable it.

  3. Go to Exclude Users (Optional) and click Add User to select the users you want to exclude from this rule. No user is selected by default.

  4. Go to Conditions and set the following:

    • If the user's IP is: Specify the network zone to which this rule applies.
      • Anywhere: The action is triggered no matter what the user's IP is. This is selected by default.
      • Inside Zone: The action takes effect when the user's IP is within the set network zone range.
      • Outside Zone: The action takes effect when the user's IP is outside of the network zone range.
  5. Go to Actions and set whether to allow user access:

    • Change Password: When enabled, users can change their passwords. When disabled, only the workspace administrators can initiate a password change.
    • Perform self-service password reset: When enabled, users can reset their passwords through self-service. When disabled, only the workspace administrators can initiate a password reset.
    • Perform self-service account unlock: When enabled, users can unlock their accounts through self-service. When disabled, only the workspace administrators can initiate account unlock.
Was this article helpful?
0 out of 1 found this helpful