When administrators provision new Okta users to Active Directory (AD) with Delegated Authentication enabled, Okta sets a randomly generated password on the user's AD account and removes the user's existing Okta password. Okta emails the AD password to the activation email recipient designated in the AD integration, and the user must change the password upon signing in. Ensuring the correct configuration of the activation email recipient guarantees the successful delivery of the temporary credentials.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Provisioning to Active Directory
• Password
• Login
• Delegated Authentication

How does the first-time Okta login flow work for users provisioned to Active Directory?

The following steps outline the configuration and login process for users provisioned to Active Directory with Delegated Authentication.

1. Navigate to the Directory integration and go to Provisioning > Provisioning to App > Create Users.

2. Enter a valid email address in the Activation email recipient field to receive the temporary passwords.

3. Assign the user to the Directory instance. Okta creates the Active Directory object, selects the User must change password at next logon option, and sends an email containing this temporary password to the designated address.

4. Provide the temporary password to the user.

5. Instruct the user to sign in using the temporary password. Okta prompts the user to change the password if the administrator has configured the self-service password reset feature.

6. Resolve any errors that occur after the password reset attempt by reviewing the related references below.

Related References

• Active Directory Password Sync and Delegated Authentication

• Unable to Log Into Okta Using Temporary Active Directory Password