Using Sync Password



This feature pushes end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control.' Okta password to the end user's Active Directory object. This push occurs during initial Okta set up, Okta log on, or whenever a users' Okta password changes. Passwords will also be synced from AD to Okta.

Note: If an Okta user is pushed to Active Directory after the user has already activated their Okta account, the Active Directory user object will be in a "User must change password at next logon" state. In this scenario, the user must first log onto Okta in order for the password to be pushed from Okta to AD.

The following table details the settings and components required for Sync Password uses cases.


Use Case
Enable DelAuth in Okta AD Settings?
Install Password Sync Agent? †
Enable Sync Password in Okta AD Settings?
Active Directory Environments
Allow users’ to sign in to Okta using their Active Directory credentials. Yes No No No
Make users' Okta credentials the same as their AD credentials and push AD passwords to provisioning-enabled apps Yes Yes No Yes
Sync an Okta users’ password down to AD, when Okta is provisioning an on-premises AD environment No No Yes No
Sync Okta passwords to AD No No Yes No
Sync Okta passwords to AD and push passwords to provisioning-enabled apps No No Yes Yes


In this use case, the Password Sync Agent must be installed and configured on all domain controllers in each domain in your forest, and the Okta username format must be User Principle Name (UPN).

This option is available only in the provisioning settings of eligible SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. apps.

For more information, see the Password Synchronization Overview guide.

Active Directory environments

Non-Active Directory Environments