Okta service doesn’t handle expired passwords that well, i.e. it just fails the logon and user is not given the option to change the password
It appears that the Okta service doesn’t handle expired passwords that well, i.e. it just fails the logon and user is not given the option to change the password. This is the same if you use the VPN MFA profile or the Okta website, selecting one of the non-MFA profiles the VPN client asks you to change the password.
That is not what I see, I'm able to try to login with a username and (expired) password. Okta will then forward the user on to a page where the old password needs to be re-typed along with the new AD password that meets the AD password policy , and then re-type the same new password. The user will then get logged in and the AD password gets updated as expected via the Okta AD agent.
Make sure the new password that you are providing meets the AD password policy, otherwise you might get failures that look like Okta is not performing correctly.