Password migration considerations

Early Access release

Before you start to migrate passwords from AD to Okta, review the following table and consider how a password migration would impact your org.

Considerations	Effect
Impact on ADSSO	When password migration is finished, delegated authentication is disabled and Okta becomes the password source for all users. Okta performs all password authentication, so Agentless Desktop Single Sign-On (ADSSO) no longer works.
Password capture for passwordless orgs	To capture a user's password and migrate it to Okta, they must enter their password at least once while the migration is active. If your org uses passwordless factors, then you must choose one of the following approaches to have users enter their passwords. Create and use a temporary authentication policy that requires users to enter their passwords to sign in to Okta. See Authentication. Create a bookmark app, set it to open any internal page, and ask all users to access the app by entering their password. See Create a Bookmark App integration.
Password policy	Passwords are migrated from AD to Okta, ignoring any Okta password policy requirements. When users reset their password after the migration is complete, the Okta password policy is enforced.
Universal Security Groups (USGs)	Cross-domain USG memberships won't sync into Okta after the password migration is complete. This occurs because both delegated authentication and profile reload are disabled when the migration completes. A best practice is to divide the USGs into groups that belong to a single AD domain.

Related topics