This article presents the expected behavior of the Expire Passwords feature.

• Expire Passwords 
• Features

The Expire Passwords feature allows Admins to expire the passwords of all Okta-sourced users. Every Okta-sourced user will be forced to change their password the next time they sign in.  Password expiry within Okta does not invalidate the user's current password from use. 

NOTE: If the goal is to stop a bad actor from using a stolen password, an Admin should leverage the "Send a password reset password email" or "Create a temporary password "option.

• "Send a password reset password email" prevents the user from using the previously configured password until they check the email for a Reset Password link.
• "Create a temporary password" generates a password that the Admin can see and share with the user.  Users are then required to set a new password after utilizing the temporary password. 

To reset a user's password:

1. In the Admin Console, go to Directory > People.
2. Find and select the user whose password should be reset.
3. Click Reset or Remove password.
4. Choose the desired Reset password option:
   • Send a password reset password email: Choose this option to send an email with a password reset link to the user's primary and secondary email addresses. Their password is immediately reset. The link expires in one hour.
   • Create a temporary password: Choose this option to set a temporary password for the user. The user's account is marked as expired, and the user must change their password upon signing in.
5. Optional. Select Sign out user to sign the user out of all devices and browsers.
6. Click Reset password.

Admin-initiated password reset flows require the user to enter the temporary password that was set or click the link provided in the email without providing additional factors. Okta recommends securing all the apps with MFA.

Related References

• Reset a user password
• Expire Passwords