Okta Mobile PIN expiration sync with AD Password Policies
What are my options with the following configuration,
We are in the middle of an Office 365 migration, so we are in Hybrid mode. We have 30% of our users that dont ever access corpoarte email nor log into a domain joined machine... they simply use the Okta App on their mobile devices to log in and out of time sheets (Workday for example).
What is the recommended practice, users can still use their Okta Mobile App to log into their applications, and as long as they arent AD integrated for authentication, like Workday, they are never asked to change their AD passwords or aware that they are locked out of the domain controllers.
Playing the devils advocate, say a employee were terminated, and HR forgot to disable access to certain apps, the Okta Mobile App PIN would continue to work allowing them access to certain apps though they have been disabled in AD.
So the question is how/can Okta be synced with AD so that employees could no longer log in with their Mobile PIN if their AD account was expired, locked, disabled or required a password change at next logon etc.?
Or do I simply have to not use the Okta PIN (passcode) option for my environment of 10k+ users?
It seems like a little bit of a security hole honestly.
After a user has been disabled in AD, the best practice to use here would be to have Real Time Sync enabled, so that the user will be automatically disabled in Okta, which removes his access to Okta Mobile.