Expire end-user passwords
Expire All End-User Passwords
The Expire Passwords feature allows you to expire passwords of all Okta-mastered users with one click. Every Okta-mastered user will be forced to change their password on next sign in. .
Keep in mind the following:
- Active sessions remain active. The user is prompted for a new password at the next Okta sign in.
- You can use the AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Password Health Report on the Reports page to monitor how your users reset their passwords.
- API tokens are not expired. API tokens are valid for 30 days and renew automatically with each request to Okta. For more information on API token expiration and revocation, see API Tokens.
- Bulk password expiration only applies to Okta-managed users, unless the Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Password Reset feature is enabled. The passwords for users managed through Active Directory and LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. delegated authentication are not expired. Your Active Directory and LDAP agents will continue to work even if the service account managed by Okta has an expired password.
- If you are responding to a security vulnerability, ensure that your applications are already patched and no longer vulnerable before resetting the Okta password.
- When a user's Okta password is changed, all applications assigned to the user that support ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. and are Sync Password enabled are updated with the new password.
To expire the passwords of all Okta-mastered end-users, do the following:
- From the People page, click More Actions > Expire Passwords.
- On the confirmation page, click Expire Passwords.
Expire an individual end user's password through the Admin Console
You can effectively expire an individuals Okta password by assigning them a temporary password. The user will be required to change their password the next time they sign in.
- Go to Directory People.
- Click the user whose password you want to expire.
- Click Reset Password.
- Click Temporary Password.
A temporary password is created for the account and the account is marked as expired. The temporary password is displayed for your information. Be sure to distribute the new password to the user securely; for example, by email or voice mail. The next time the user signs into Okta, they must enter the temporary password and create a new password.
Note: After you generate a temporary password, you cannot create a password reset link. The message Password reset. User is now in one-time password mode. is displayed when viewing the user.
Notes for AD-mastered users in a Delegated Authentication environment
- When an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. triggers a password reset, the original password does not expire in Active Directory. If the user remembers their original AD password, they can use it to log in despite the password reset.
If an admin uses the Temporary Password option for a user whose AD account has the "Password never expires" option, the user will not be prompted to change their password after entering the temporary password.
Expire an individual end user's password through the Okta API
The Okta API provides a credential life cycle operation to expire a password for a specific user. The API provides the flexibility to expire only the current password without generating a new temporary password.
Portal or External Users
If your Okta organization powers an external user portal, the bulk password expiration feature may not be a viable solution. To use bulk expiration, your portal must support a password expiration flow and handle the following error code for the Create Session API operation.
Error code: E0000064
Description: Password is expired and must be changed.
HTTP return code: 401
Caution: If you change the default password policy to expire passwords or use the bulk password expiration feature, your application must handle this error.Top