Synchronize passwords from Okta to Active Directory

You enable Sync Password to synchronize user passwords from Okta to Active Directory (AD) and to provisioning enabled applications.

With Okta to AD synchronization, the Okta password is pushed to AD. This can be useful if you want Okta to be the final authentication resource and you need to use your AD instance to authenticate access to legacy resources that you can’t connect to Okta. To allow Okta to synchronize with AD, the delegated authentication setting for the AD domain must be off. The Okta Active Directory (AD) agent needs additional permissions to write the new password to AD. All password changes should be initiated in Okta and propagated to AD and users should be prohibited from changing their passwords directly in AD.

These events activate an Okta to AD synchronization:

  • A user updates their Okta password
  • A user recovers their Okta password
  • An administrator initiates an Okta password reset

If an Okta user is pushed to AD after they have activated their Okta account, the AD user object is in a "User must change password at next logon" state. In this scenario, the user must first log onto Okta in order for the password to be pushed from Okta to AD.

Prerequisites

To synchronize passwords from Okta to AD and to provisioning enabled applications:

  • You have an AD instance integrated with Okta
  • Users imported or assigned to the AD instance are Okta mastered
  • The Okta AD agent service account allows users to reset passwords and forces password change permissions
  • Delegated Authentication is disabled and the Okta Password Sync agent is not installed

Synchronize Okta passwords to Active Directory

Push a user's Okta password to AD during initial Okta set up, or whenever the user's Okta password changes.

  1. In the Admin Console, go to Directory > Directory Integrations > Active Directory > Provisioning.
  2. In the SETTINGS list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box. This transfers password mastering from AD to Okta.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD Authentication.
  7. In the SETTINGS list, click To App, click Edit, scroll to the Sync Password section and select Enable.
  8. Click Save.