Applies to: Exchange Online, Exchange Server 2016

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-UMMailboxPIN cmdlet to reset the PIN for a Unified Messaging (UM)-enabled mailbox.

For information about the parameter sets in the Syntax section below, see Syntax.

Set-UMMailboxPIN -Identity <MailboxIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-IgnoreDefaultScope <SwitchParameter>] [-LockedOut <$true | $false>] [-NotifyEmail <String>] [-Pin <String>] [-PinExpired <$true | $false>] [-SendEmail <$true | $false>] [-WhatIf [<SwitchParameter>]]

This example resets the PIN on the UM-enabled mailbox for

Set-UMMailboxPIN -Identity

This example resets the initial PIN to 1985848 on the UM-enabled mailbox for, and then sets the PIN as expired so that the user will be asked to change the PIN the next time the user logs on.

Set-UMMailboxPIN -Identity -PIN 1985848 -PinExpired $true

This example locks the UM-enabled mailbox for to prevent the user from accessing the mailbox.

Set-UMMailboxPIN -Identity -LockedOut $true

This example unlocks the UM-enabled mailbox for and allows the user access to the mailbox.

Set-UMMailboxPIN -Identity -LockedOut $false

The Set-UMMailboxPIN cmdlet is used when a UM-enabled user has been locked out of a mailbox because either the user tried to log on by using an incorrect PIN multiple times or because the user has forgotten the PIN. You can use this cmdlet to set the user's PIN. The new PIN must comply with the PIN policy rules specified in the user's mailbox policy. The new PIN is sent to the user in an email message, or sent to an alternative email address. You can control whether the user must reset the PIN at logon and if the mailbox will continue to be locked.

After this task is completed, the PIN on a UM-enabled mailbox is set.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "UM mailboxes" entry in the Unified Messaging permissions topic.


Parameter Required Type Description




The Identity parameter specifies the UM-enabled user PIN being set. The values for this parameter include the following:

  • ADObjectID

  • GUID

  • Distinguished name (DN)

  • Domain\Account

  • user principal name (UPN)

  • LegacyExchangeDN

  • SmtpAddress

  • Alias




The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.




This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,




This parameter is available only in on-premises Exchange 2016.

The IgnoreDefaultScope switch tells the command to ignore the default recipient scope setting for the Exchange Management Shell session, and to use the entire forest as the scope. This allows the command to access Active Directory objects that aren't currently available in the default scope.

Using the IgnoreDefaultScope switch introduces the following restrictions:

  • You can't use the DomainController parameter. The command uses an appropriate global catalog server automatically.

  • You can only use the DN for the Identity parameter. Other forms of identification, such as alias or GUID, aren't accepted.




The LockedOut parameter specifies whether the mailbox will continue to be locked. If set to $true, the mailbox is marked as locked out. By default, if this parameter is omitted or set to $false, the command clears the locked-out status on the mailbox.




The NotifyEmail parameter specifies the email address to which the server sends the email message that contains the PIN reset information. By default, the message is sent to the SMTP address of the enabled user.




The Pin parameter specifies a new PIN for use with the mailbox. The PIN is checked against the PIN rules defined in the Unified Messaging mailbox policy. If the PIN isn't supplied, the command generates a new PIN for the mailbox and includes it in an email message sent to the user.




The PINExpired parameter specifies whether the PIN is treated as expired. If this parameter is supplied and is set to $false, the user isn't required to reset the PIN the next time that the user logs on. If the PIN isn't supplied, the PIN is treated as expired and the user is prompted to reset the PIN the next time that the user logs on.




The SendEmail parameter specifies whether to send a PIN to the user in an email message. The default is $true.




The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.