Using Sync Password



This feature pushes users' Okta password to the user's Active Directory object. This push occurs during initial Okta set up, Okta log on, or whenever a users' Okta password changes.

Note: If an Okta user is pushed to Active Directory after the user has already activated their Okta account, the Active Directory user object will be in a "User must change password at next logon" state. In this scenario, the user must first log onto Okta in order for the password to be pushed from Okta to AD.

Active Directory environments

Non-Active Directory Environments


The following table details the settings and components required for Sync Password uses cases.


Use Case
Enable DelAuth in Okta AD Settings?
Install Password Sync Agent? †
Enable Sync Password in Okta AD Settings?
Enable Sync Password in App? ‡
Active Directory Environments
Make users' Okta credentials the same as their AD credentials Yes No No No
Make users' Okta credentials the same as their AD credentials and push AD passwords to provisioning-enabled apps Yes Yes No Yes
Expire an Okta-mastered users password using the Okta Expire Password API No No Yes No
Sync Okta passwords to AD No No Yes No
Sync Okta passwords to AD and push passwords to provisioning-enabled apps No No Yes Yes
Non-Active Directory Environments
In non-AD environments, push users' Okta password or a random password to provisioning-enabled apps No No No Yes

In this use case, the Password Sync Agent must be installed and configured on all domain controllers in each domain in your forest, and the Okta username format must be User Principle Name (UPN).

This option is available only in the provisioning settings of eligible SWA apps.

For more information, see the Password Synchronization Overview guide.