Expire all user passwords

The Expire Passwords feature allows you to expire passwords of all Okta-sourced users. Every Okta-sourced user will be forced to change their password they next time they sign in. Before you enable this functionality, consider the following:

  • Active sessions remain active. The user is prompted for a new password the next time they sign in.
  • You can use the App Password Health Report on the Reports page to monitor how your users reset their passwords.
  • API tokens are not expired. API tokens are valid for 30 days and renew automatically with each request to Okta. For more information on API token expiration and revocation, see API token management.
  • Bulk password expiration only applies to Okta-managed users, unless the Active Directory Password Reset or LDAP Password Reset feature is enabled. When password reset functionality is enabled, the passwords of users managed with Active Directory or LDAP delegated authentication are also expired. Your Active Directory and LDAP agents will continue to work even if the service account managed by Okta has an expired password.
  • If you are responding to a security vulnerability, ensure that your applications are already patched and no longer vulnerable before resetting the Okta password.
  • When a user's Okta password is changed, all applications assigned to the user that support Provisioning and are Sync Password enabled are updated with the new password.
  1. In the Admin Console, go to Directory > People.
  2. Click More Actions > Expire Passwords.
  3. Click Expire Passwords in the confirmation dialog box.

Related topics

Reports