Use Okta API to expire user passwords

Use the Okta API to expire Okta-sourced user passwords and require affected users to set a new password on their next sign-in attempt.

  1. In the Admin Console, go to DirectoryDirectory IntegrationsActive DirectoryProvisioning.
  2. Click Integration in the Settings list.
  3. Scroll down and clear the Enable delegated authentication to Active Directory checkbox.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD Authentication.
  7. Under Settings, click To App, click Edit. Scroll to the Sync Password section, and then select Enable.
  8. Click Save.
  9. Optional. To exclude specific users from password expiration:
    1. Click SecurityAuthentication and select Active Directory Policy.
    2. Scroll down and click Add Rule.
    3. Complete these fields:
      • Rule Name: Enter a name for the rule.
      • Exclude Users: Optional. Identify the users that you want to exclude from this rule.
      • IF User's IP Address is: Optional. Indicate if the rule should apply to an IP address that is inside or outside of a specific zone.
      • THEN User can: Select change password.
    4. Click Create Rule.
  10. Call the expire_password endpoint with tempPassword set to true. See Expire Password.