Okta password change notification to downstream apps?
Is it possible to send out "password changed" notification (i.e. user changes their own Okta password) from Okta to integrated downstream apps? ex. Office 365. Such a notification will enable the downstream app (ex. Azure) to invalidate the user's session or any active tokens the user may have.
With regards to password changes Okta provides a Password Sync option for many apps that allow user provisioning. This includes the O365 application. As such if you are not using Federation as your authentication method for Office 365 you can enable the Password Sync component in the provisoning tab.
More information on the Password Sync can be found in our documentation here: https://support.okta.com/help/Documentation/Knowledge_Article/Password-Synchronization-Overview#OktaToApplicationSyncOktaPassword
However it is important to undertsand that Office 365 will not immediately revoke all sessions based on the user password changing and will be based on the refresh token lifetime as such when the refresh token is used to revalidate the users session they will be prompted to re-authenticate. More information on this can be found here: https://support.office.com/en-us/article/session-timeouts-for-office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40
If you are looking for another mechanism to forcefully terminate the sessions in O365 when they reset their password, you can look at the Okta and O365 powershell and utilise custom code to identify the user changing their password via a custom login page for Okta. When the password reset is successful you can either update O365 user password via the sync option above or via powershell and also, with powershell, terminate all Azure app sessions. The blog post below provides the powershell command at the end of the post.