Synchronize passwords from Okta to Active Directory

Okta enables you to synchronize user passwords from Okta to Active Directory (AD). Enable the Sync Password feature if you want Okta to be the source of truth for authentications. You can continue using your AD instance to authenticate access to legacy resources that you can't connect to Okta.

To allow Okta to synchronize with AD, the delegated authentication setting for the AD domain must be off. The Okta Active Directory (AD) agent needs additional permissions to write the new password to AD. All password changes should be initiated in Okta and propagated to AD. Users should be prohibited from changing their passwords directly in AD. The user's current Okta password is pushed to AD the next time the user successfully signs in to Okta.

These events activate an Okta to AD synchronization:

  • A user updates their Okta password.
  • A user recovers their Okta password.
  • An administrator initiates an Okta password reset.

If an Okta user is pushed to AD after they have activated their Okta account, the AD user object is placed in a "User must change password at next logon" state. In this scenario, the user must first sign in to Okta for the password to be pushed from Okta to AD.

Before you begin

To synchronize passwords from Okta to AD and to provisioning-enabled apps:

  • You have an AD instance integrated with Okta.
  • Users imported or assigned to the AD instance are Okta-sourced.
  • The Okta AD agent service account allows users to reset passwords and forces change permissions for passwords.
  • Delegated Authentication is disabled and the Okta AD Password Sync Agent isn't installed.

Synchronize Okta passwords to Active Directory

Push a user's Okta password to AD during initial Okta setup, or whenever the user's Okta password changes.

  1. In the Admin Console, go to DirectoryDirectory IntegrationsActive DirectoryProvisioning.
  2. In the Settings list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory checkbox. This transfers password sourcing from AD to Okta.
  4. Click Save.
  5. Select Create Okta password (recommended).

    This resets existing passwords. All users assigned to AD receive an automated email that instructs them to set a new password.

  6. Click Disable AD Authentication.
  7. In the Settings list, click To App, and then click Edit.
  8. Scroll to the Sync Password section and select Enable.
  9. Click Save.