This article explains how to disable Delegated Authentication for an Active Directory (AD) instance in Okta.

• Directories
• Active Directory (AD)
• Delegated Authentication
• User Management

When Delegated Authentication is enabled on a directory, Okta does not store passwords for users assigned to that directory. All password-based authentication attempts are delegated to a Domain Controller, and the authentication result is passed back to Okta. When Delegated Authentication is disabled, the assigned Okta users will not have a password unless the Create Okta Password option is selected. 

To disable Delegated Authentication for an Active Directory integration, follow the video or the steps below:

 

1. Navigate to Directory > Directory Integrations.
2. Select the AD domain in which the Delegated Authentication option should be disabled.
3. Click Provisioning > Integration.
4. Scroll to the header Delegated Authentication and uncheck the box next to Enable Delegated Authentication to Active Directory.
5. Click Save, and run a full import.

When disabling Delegated Authentication, two options are presented:

1. Create an Okta password (recommended).
   • Choosing this option will send a Password Reset e-mail to all users who previously used Delegated Authentication. Users will need to go through the Password Reset flow to create an Okta Password and log in to Okta.

2. Do not create an Okta password.
   • Choosing this option will NOT send the Password Reset e-mail, and users will not be able to log into Okta until they set an Okta Password.
   • If this option is chosen, an Okta Password can be created in the following ways:
     • Creating a Temporary Password from the Admin UI (On the user's profile, go to Reset Password > Temporary Password).
     • Set a password for the user via API using:

POST {{url}}/api/v1/users/{{userId}} 

{  "credentials": {    "password" : { "value": "Pas$w0Rd123!" }  }}