Synchronize passwords from Okta to Active Directory

You enable Sync Password to synchronize user passwords from Okta to Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) and to provisioning enabled applications.

With Okta to AD synchronization, the Okta password is pushed to AD. This can be useful if you want Okta to be the final authentication resource and you need to use your AD instance to authenticate access to legacy resources that you can’t connect to Okta. To allow Okta to synchronize with AD, the delegated authentication setting for the AD domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). must be off. The Okta Active Directory (AD) agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. needs additional permissions to write the new password to AD. All password changes should be initiated in Okta and propagated to AD and users should be prohibited from changing their passwords directly in AD.

These events activate an Okta to AD synchronization:

  • A user updates their Okta password
  • A user recovers their Okta password
  • An administrator initiates an Okta password reset

If an Okta user is pushed to AD after they have activated their Okta account, the AD user object is in a "User must change password at next logon" state. In this scenario, the user must first log onto Okta in order for the password to be pushed from Okta to AD.


To synchronize passwords from Okta to AD and to provisioning enabled applications:

Synchronize Okta passwords to Active Directory

Push a user's Okta password to AD during initial Okta set up, or whenever the user's Okta password changes.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations > Active Directory > ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications..
  2. In the SETTINGS list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box. This transfers password mastering from AD to Okta.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD Authentication.
  7. In the SETTINGS list, click To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., click Edit, scroll to the Sync Password section and select Enable.
  8. Click Save.