Expire end user passwords

You can expire end user passwords individually or in bulk.

Expire all end user passwords

The Expire Passwords feature allows you to expire passwords of all Okta-mastered users with one click. Every Okta-mastered user will be forced to change their password they next time they sign in.

Keep in mind the following:

To expire the passwords of all Okta-mastered end-users, do the following:

  1. On the People page, click More Actions > Expire Passwords.
  2. On the confirmation page, click Expire Passwords.

Expire an individual end user's password through Admin Console

You can effectively expire an individuals Okta password by assigning them a temporary password. The user will be required to change their password the next time they sign in.

  1. Go to Directory > People.
  2. Click the user whose password you want to expire.
  3. Click Reset Password.
  4. Click Temporary Password.

A temporary password is created for the account and the account is marked as expired. The temporary password is displayed for your information. Be sure to distribute the new password to the user securely; for example, by email or voice mail. The next time the user signs in to Okta, they must enter the temporary password and create a new password.

Note: After you generate a temporary password, you cannot create a password reset link. The message Password reset. User is now in one-time password mode. is displayed when viewing the user.

Notes for AD-mastered users in a Delegated Authentication environment

Expire an individual end user's password through the Okta API

The Okta API provides a credential life cycle operation to expire a password for a specific user. The API provides the flexibility to expire only the current password without generating a new temporary password.

Portal or External Users

If your Okta organization powers an external user portal, the bulk password expiration feature may not be a viable solution. To use bulk expiration, your portal must support a password expiration flow and handle the following error code for the Create Session API operation.

Error code: E0000064
Description: Password is expired and must be changed.
HTTP return code: 401

Caution: If you change the default password policy to expire passwords or use the bulk password expiration feature, your application must handle this error.