Expire a user's password on the Okta Admin Console

To expire a user's Okta password, you assign them a temporary password. The user will be required to change their password the next time they sign in. After you generate a temporary password, you cannot create a password reset link. The message Password reset. User is now in one-time password mode is displayed when viewing the user

Active Directory mastered users in a Delegated Authentication environment

When a password is reset, the original password does not expire in Active Directory (AD). If the user remembers their original AD password, they can use it to sign in despite the password reset.

If the Temporary Password option is used for a user whose AD account has the Password never expires option enabled, the user is not prompted to change their password after entering the temporary password.

  1. In the Admin Console, go to Directory > People.
  2. Click a user name in the Person & Username column.
  3. Click Reset Password.
  4. Click Temporary Password.

A temporary password is created for the account and the account is marked as expired. The temporary password is displayed for your information. Be sure to distribute the new password to the user securely; for example, by email or voice mail. The next time the user signs in to Okta, they must enter the temporary password and create a new password.