<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Provisioning Users from Okta to an Application Fails Because of Password Complexity
Mar 19, 2026
Okta Integration Network
Okta Classic Engine
Okta Identity Engine
Overview

Provisioning a new user from Okta to Active Directory (AD) or another application configured with provisioning (for example, ORG2ORG, Office 365, G Suite) can fail because the password policies are not met, or the user will be created as disabled inside AD even though Sync Password is not enabled for the integration.

Applies To
  • Active Directory
  • Provisioning
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
Cause
When provisioning a user to Active Directory, Okta also sends a hash of a password based on the Default Okta Password Policy even though Sync Password is not enabled for the AD Integration.
Solution
Make sure that the Okta Password Policy has at least the same level of complexity as the Password Policy on the AD side/application side so that the password hash sent by Okta to AD/App will match the Password Policy.

Recommended content

Still looking for help?
Loading
Provisioning Users from Okta to an Application Fails Because of Password Complexity