Use the Okta API to expire user passwords

Use the Okta API to expire Okta-sourced user passwords and prompt them to set a new password when they next sign in.

  1. In the Admin Console, go to DirectoryDirectory IntegrationsActive DirectoryProvisioning.
  2. Click Integration in the Settings list.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD Authentication.
  7. In the Settings list, click To App, click Edit, scroll to the Sync Password section, and select Enable.
  8. Click Save.
  9. Optional. To exclude specific users from password expiration:
    1. Click SecurityAuthentication and select Active Directory Policy.
    2. Scroll down and click Add Rule.
    3. Complete these fields:
      • Rule Name — Enter a name for the rule.
      • Exclude Users — Optional. Identify the users you want excluded from this rule.
      • IF User's IP Address is — Optional. Indicate if the rule should apply to an IP address that is inside or outside a specific zone.
      • THEN User can — Select change password.
    4. Click Create Rule.
  1. Access the expire_password endpoint in the Okta User API and change the tempPassword parameter value to TRUE. See Expire Password in the Okta Developer Documentation.