Use Okta API to expire user passwords
Use the Okta API to expire Okta-sourced user passwords and require affected users to set a new password on their next sign-in attempt.
- In the Admin Console, go to .
- Click Integration in the Settings list.
- Scroll down and clear the Enable delegated authentication to Active Directory checkbox.
- Click Save.
- Select Create Okta password (recommended).
- Click Disable AD Authentication.
- Under Settings, click To App, click Edit. Scroll to the Sync Password section, and then select Enable.
- Click Save.
- Optional. To exclude specific users from password expiration:
- Click Active Directory Policy. and select
- Scroll down and click Add Rule.
- Complete these fields:
- Rule Name: Enter a name for the rule.
- Exclude Users: Optional. Identify the users that you want to exclude from this rule.
- IF User's IP Address is: Optional. Indicate if the rule should apply to an IP address that is inside or outside of a specific zone.
- THEN User can: Select change password.
- Click Create Rule.
- Call the expire_password endpoint with tempPassword set to true. See Expire Password.