System Log Shows "FAILURE: Invalid user state" when Performing Self-Service Password Reset
Mar 13, 2025
Okta Classic Engine
Administration
Overview
In some scenarios, a user might initiate a self-service password reset that fails with the following error in the System Logs
FAILURE: Invalid user state
Okta-managed users might also receive a Forgot Password Denied email when attempting to perform a self-service password reset. The System Logs will show an Invalid user state error message for the user that performs the Forgotten Password flow, as seen in the screenshot below:
This article offers some possible reasons for this error.
Applies To
- Self-Service Password Reset
- System Log
- Password Policy
- Authentication Policy
- Network Zones
- Okta Classic Engine
Cause
- The Okta-managed user was created without a Recovery Security Question.
- A Network Zone is not configured correctly.
- Specifically, the user's IP address did not match the current IP ranges allowed by the Network Zone applied to them.
Solution
- Use the following API call to set a recovery security question for the user or disable the Security Question for the Account Recovery setting in the Password Policy that applies to the user.
PUT {{url}}/api/v1/users/{{userId}}
- Adjust the Authentication Policy to allow access from "Anywhere" or update the Network Zone to include the end user's IP.
