diff --git a/lib/ansible/modules/remote_management/manageiq/manageiq_user.py b/lib/ansible/modules/remote_management/manageiq/manageiq_user.py
index cb680c01766..de461fc3bc1 100755
--- a/lib/ansible/modules/remote_management/manageiq/manageiq_user.py
+++ b/lib/ansible/modules/remote_management/manageiq/manageiq_user.py
@@ -68,6 +68,13 @@ options:
       - The users' E-mail address.
     required: false
     default: null
+  update_password:
+    required: false
+    default: always
+    choices: ['always', 'on_create']
+    description:
+      - C(always) will update passwords unconditionally.  C(on_create) will only set the password for a newly created user.
+    version_added: '2.5'
 '''
 
 EXAMPLES = '''
@@ -219,11 +226,16 @@ class ManageIQUser(object):
             resource['group'] = dict(id=group_id)
         if name is not None:
             resource['name'] = name
-        if password is not None:
-            resource['password'] = password
         if email is not None:
             resource['email'] = email
 
+        # if there is a password param, but 'update_password' is 'on_create'
+        # then discard the password (since we're editing an existing user)
+        if self.module.params['update_password'] == 'on_create':
+            password = None
+        if password is not None:
+            resource['password'] = password
+
         # check if we need to update ( compare_user is true is no difference found )
         if self.compare_user(user, name, group_id, password, email):
             return dict(
@@ -280,7 +292,9 @@ def main():
             password=dict(no_log=True),
             group=dict(),
             email=dict(),
-            state=dict(choices=['absent', 'present'], default='present')
+            state=dict(choices=['absent', 'present'], default='present'),
+            update_password=dict(choices=['always', 'on_create'],
+                                 default='always'),
         ),
     )