Yes, but personally I think it would be better if the passwordstate policy could be more "AD-friendly", and an option could be just "require AD complexity", checking for 3 out of 4 character types being used. To get around this, we have enforced uppercase, lowercase and numbers, but that is annoying some of the users that are used to being able to use special characters instead. Is the haveibeenpwnd error message working even if you set a custom Failed Reset Message? If so I was mistaken, sorry!