Okta Mobile PIN expiration sync with AD Password Policies Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Chris HocheChris Hoche 

Okta Mobile PIN expiration sync with AD Password Policies

What are my options with the following configuration,

We are in the middle of an Office 365 migration, so we are in Hybrid mode.
We have 30% of our users that dont ever access corpoarte email nor log into a domain joined machine... they simply use the Okta App on their mobile devices to log in and out of time sheets (Workday for example).

What is the recommended practice, users can still use their Okta Mobile App to log into their applications, and as long as they arent AD integrated for authentication, like Workday, they are never asked to change their AD passwords or aware that they are locked out of the domain controllers.

Playing the devils advocate, say a employee were terminated, and HR forgot to disable access to certain apps, the Okta Mobile App PIN would continue to work allowing them access to certain apps though they have been disabled in AD.

So the question is how/can Okta be synced with AD so that employees could no longer log in with their Mobile PIN if their AD account was expired, locked, disabled or required a password change at next logon etc.?

Or do I simply have to not use the Okta PIN (passcode) option for my environment of 10k+ users?

It seems like a little bit of a security hole honestly.

Best Answer chosen by Niki (Okta, Inc.) 
AdrianAdrian (Okta, Inc.) 
After a user has been disabled in AD, the best practice to use here would be to have Real Time Sync enabled, so that the user will be automatically disabled in Okta, which removes his access to Okta Mobile.

- Adrian