Use the Okta API to expire user passwords

Use the Okta API to expire Okta-mastered user passwords and prompt them to set a new password when they next sign in.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations > Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. > ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications..
  2. In the SETTINGS list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
  7. In the SETTINGS list, click To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., click Edit, scroll to the Sync Password section and select Enable.
  8. Click Save.
  9. Click Security > Authentication and select Active Directory Policy.
  10. Scroll down and click Add Rule.
  11. Complete these fields:
  • Rule Name — Enter a name for the rule.
  • Exclude Users — Optional. Identify the users you want excluded from this rule.
  • IF User's IP Address is — Optional. Indicate if the rule should apply to an IP address that is inside or outside a specific zone.
  • THEN User can — Select change password.
  1. Click Create Rule.
  2. Access the expire_password endpoint in the Okta User API and change the tempPassword parameter value to TRUE. For help working with Okta REST APIs, see Get Started with the Okta REST APIs.