Not ever changing a user's password is not an issue. And changing the password every two months doesn't protect you.
Not using multi-factor authentication is a problem and should be where your focus should be:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
If you aren't using Azure, consider a hybrid solution with Azure or a third party solution
This isnt really an Exchange issue however.
There is absolutely no reason to keep any user credentials. Has nothing to do with legality, there is simply no reason to do this.
If you need to troubleshoot a users mailbox, an admin can give yourself permission to it:
Personally, I would never work for a company that required me to provide my password to them.