When a user performs an Active Directory (AD) password change in Okta, the Okta AD Agent performs the change on the user's behalf. If the new password fails to meet the password complexity requirements configured within AD, AD rejects the password change. To resolve this issue, administrators must verify the applied AD password policy using PowerShell and ensure the new password satisfies all criteria, including the minimum password age.

The user receives the following error message:

Password requirements were not met.

The AD Agent logs record the following error:

2025/11/21 14:57:46.905-06:00 Error -- SERVER(3) -- Exception during Directory Invoke Action
2025/11/21 14:57:46.905-06:00 Info -- SERVER at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.DirectoryInvoke(String targetDN, String method, List`1 parameters, Boolean useLegacyPolicyHintsControl)
System.Reflection.TargetInvocationException received with message Exception has been thrown by the target of an invocation. Source=System.DirectoryServices InnerException=System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5).
	Caused by System.Runtime.InteropServices.COMException received with message The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5) Source= InnerException=.

A System Log event indicates that the password change attempt failed:

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Delegated Authentication

Active Directory evaluates the password policies defined within the domain and assigned to the user during a password change attempt. Administrators must confirm which password policy applies to the user, as fine-grained password policies may apply and impose different requirements. If the new password fails to meet any requirements of the assigned policy, Active Directory rejects the password change. The error message from Active Directory does not indicate which requirement has not been met. Configured requirements often include the following:

• Password history - The number of unique passwords a user must create before reusing a previous password.
• Minimum password age - The minimum time a password must remain in effect before the user can set a new one.
• Minimum password length - The minimum number of characters a password must contain.
• Password complexity requirements - The requirement that the password does not contain details from the user account and that it must contain at least three of the following:
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Special characters

How is the Active Directory password policy verified?

This error indicates that Active Directory rejected the password change because the new password failed to meet the requirements of the applicable password policy within the domain. This is not an Okta error, and Okta cannot determine which requirements fail because the error details from Active Directory do not contain that information. As detailed in Password Updates in Active Directory when the Password does not Meet Okta Requirements, Okta does not evaluate all elements of the password policy during a password change for a Delegated Authentication user. Instead, Okta passes the request to a domain controller for evaluation within the local AD environment.

When this error occurs, an administrator may still be able to initiate a password reset for the user either from Okta or directly within Active Directory, as administrative password resets bypass certain password policy requirements. For example, an administrator can reset a password even if the minimum password age of the current password remains unmet.

Administrators can determine the password policy and password requirements applied to the user via PowerShell.

To determine if a fine-grained password policy applies to the user, run the following PowerShell command:

Get-ADUserResultantPasswordPolicy -Identity <user>

If a fine-grained password policy applies to that user, the command returns the policy details. Otherwise, the command completes with no result.

The following example displays a user with no fine-grained password policy assigned.

The following example displays a user with a fine-grained password policy assigned.

This command retrieves the policy details from the msDS-ResultantPSO attribute on the AD account of the user, which administrators can also verify in the account details, as shown in the following image:

If no fine-grained password policy applies to the user, the default domain password policy applies. Retrieve the details of the default domain password policy by running the following PowerShell command:

Get-ADDefaultDomainPasswordPolicy

The following output displays the default domain password policy details retrieved with this command:

After determining the applicable password policy, administrators must confirm that the new password meets the policy requirements. Inform the user of the password length, history, and complexity requirements to ensure the new password satisfies those criteria.

A common and difficult-to-diagnose cause of this error occurs when the minimum password age requirement remains unmet, as the user has no visibility into this value. When Active Directory records a password—whether during initial account creation, by a user password change, or by an administrative password reset (unless the administrator selects User must change password at next logon)—Active Directory saves the timestamp of that event to the pwdLastSet attribute within the AD account of the user. The minimum password age specified in the applicable password policy must pass since that pwdLastSet value before the user can set a new password.

For example, the following image confirms that the user lacks a fine-grained password policy, indicating that the default domain password policy will apply.

The following image shows the details of the default domain password policy that applies to the user.

NOTE: The minimum password age configured in the policy is one day (MinPasswordAge: 1.00:00:00), or 24 hours.