After you have integrated AD and enabled delegated authentication, you can configure your Active Directory (AD) password reset settings on the Security > Authentication page. Click the Edit button in the Delegated Authentication section to change your settings.
Select Users can change their Active Directory passwords in Okta to allow your users to change their AD passwords in Okta. This feature enables the following:
- When users' passwords expire, they are prompted to change them the next time they attempt to sign into Okta.
- Users can change their passwords from the Account tab on their My Applications page.
Select Users can reset forgotten AD passwords in Okta to allow your users to reset forgotten AD passwords. This feature enables the following:
- When you create or import and activate new users, their welcome page asks for a secondary email. After they enter an address, they receive a confirmation email asking them to verify the change.
- If users forget their passwords or their AD account gets locked from too many failed attempts, they can click the forgotten password link on their home page and enter their primary or secondary email address. They receive an account password reset email that expires in 24 hours. This resets both the user's Okta and AD passwords. For users who click the forgotten password link because an account was locked, this changes their AD password and unlocks their account.
Optionally select the Password Rules Message check box and enter a description for your password policy that appears when users change or reset their AD passwords. For example, the default message, "Minimum eight characters including one numeral and one special character."