"Your Password is Expiring Soon" Prompt Not Displaying Correctly
Mar 2, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview
The Active Directory (AD) password policy is configured to prompt users before their password expires, and users authenticating to Okta via Delegated Authentication should receive the message:
Your password is expiring soon.
Instead, no prompt is received, or an error incorrectly reports:
Your password has expired.
Applies To
- Active Directory Sourced Users
- Delegated Authentication
- Security - Password Policies
- Just In Time Provisioning (JIT)
Cause
Just-in-time provisioning (JIT), or Real-Time Sync, is required to notify users of expiring AD passwords, but it is not enabled for the AD instance in Okta. For more information about JIT, please see the Configuring Real Time Sync - Okta Active Directory Integration documentation.
Solution
-
Confirm that Prompt user <number> days before password expires is selected in the relevant AD password policy by clicking Security > Authenticators and then clicking Actions > Edit next to the Password authenticator and reviewing the Active Directory Policy.
- To enable JIT, navigate to Directory > Directory Integrations and click the relevant AD instance. Click Provisioning > To Okta and select Create and update users on login.
-
Validate that the expiring password prompt is now displayed correctly.
