Expire end-user passwords

You can expire end user passwords individually or in bulk.

Expire All End-User Passwords

The Expire Passwords feature allows you to expire passwords of all Okta-mastered users with one click. Every Okta-mastered user will be forced to change their password on next sign in. .

Keep in mind the following:

  • Active sessions remain active. The user is prompted for a new password at the next Okta sign in.
  • You can use the AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Password Health Report on the Reports page to monitor how your users reset their passwords.
  • API tokens are not expired. API tokens are valid for 30 days and renew automatically with each request to Okta. For more information on API token expiration and revocation, see API Tokens.
  • Bulk password expiration only applies to Okta-managed users, unless the Active Directory Password Reset feature is enabled. The passwords for users managed through Active Directory and LDAP delegated authentication are not expired. Your Active Directory and LDAP agents will continue to work even if the service account managed by Okta has an expired password.
  • If you are responding to a security vulnerability, ensure that your applications are already patched and no longer vulnerable before resetting the Okta password.
  • When a user's Okta password is changed, all applications assigned to the user that support Provisioning and are Sync Password enabled are updated with the new password.

To expire the passwords of all Okta-mastered end-users, do the following:

  1. From the People page, click More Actions > Expire Passwords.
  2. On the confirmation page, click Expire Passwords.

Expire an individual end user's password through the Admin Console

You can effectively expire an individuals Okta password by assigning them a temporary password. The user will be required to change their password the next time they sign in.

  1. Go to Directory People.
  2. Click the user whose password you want to expire.
  3. Click Reset Password.
  4. Click Temporary Password.

A temporary password is created for the account and the account is marked as expired. The temporary password is displayed for your information. Be sure to distribute the new password to the user securely; for example, by email or voice mail. The next time the user signs into Okta, they must enter the temporary password and create a new password.

Note: After you generate a temporary password, you cannot create a password reset link. The message Password reset. User is now in one-time password mode. is displayed when viewing the user.

Expire an individual end user's password through the Okta API

The Okta API provides a credential life cycle operation to expire a password for a specific user. The API provides the flexibility to expire only the current password without generating a new temporary password.

Portal or External Users

If your Okta organization powers an external user portal, the bulk password expiration feature may not be a viable solution. To use bulk expiration, your portal must support a password expiration flow and handle the following error code for the Create Session API operation.

Error code: E0000064
Description: Password is expired and must be changed.
HTTP return code: 401

Caution: If you change the default password policy to expire passwords or use the bulk password expiration feature, your application must handle this error.