<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Mass Expire Okta User Passwords
Aug 7, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

The Expire Passwords feature in Okta allows passwords to expire for all Okta-sourced users. This feature prompts users to change their passwords the next time they sign in. This functionality requires Super admin or Org admin permissions.

Applies To
  • Universal Directory
  • Expire Password
Solution

Prior to expiring all user passwords, it is recommended to consider the following:

  • Active sessions will remain active, and the user will be prompted to create a new password at their next sign-in.
  • The App Password Health Report, accessible through the Reports page, can be used to monitor password reset activity.
  • API tokens are not affected by bulk password expiration and are valid for 30 days with automatic renewal upon each request to Okta. Refer to the API token management documentation for additional information on API token expiration and revocation.
  • Password expiration for Okta-managed users is automatic, with the exception of those managed through Active Directory Password Reset or LDAP Password Reset, which require the corresponding feature to be enabled. Active Directory and LDAP agents will continue to function even if the Okta-managed service account password has expired.
  • If responding to a security vulnerability, ensure that all associated applications are properly patched and no longer susceptible to attack before resetting the Okta password.
  • When a user's Okta password is changed, any applications assigned to the user that support Provisioning and Sync Password will be updated with the new password.

 

NOTE:

  • Currently, there is no way to stop or revert the Expire Passwords for all users action once it has been initiated and confirmed by a Super Admin or Org Admin.
  • Once the process is started, all Okta-sourced users will be required to change their password at their next sign-in, but their current passwords remain valid until they do so.
  • To review when the action was executed, use the following system log filter: eventType eq "user.lifecycle.password_expiry".

 

To access the Expire Passwords feature in the Admin Console:

  1. Navigate to Directory > People.

People

  1. Click More Actions > Expire Passwords.

Expire Passwords

  1. Confirm the action by selecting Expire Passwords in the dialog box: 

 

Related References

Recommended content

Still looking for help?
Loading
Mass Expire Okta User Passwords