Okta displays a password reset or one-time password status for Active Directory (AD) sourced users when an administrator initiates a password reset or following specific lifecycle changes. Resolving this state requires the user to complete the reset process, the admin to initiate a new password reset, or the user to disconnect and reimport the user account from AD.

This behavior typically occurs when the Reset Password option is selected in the user profile, or after deactivating and reactivating an AD-sourced account.

The following message appears on the user's profile:

Password Reset. User is now in one-time password mode.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Active Directory (AD)
• Directories
• Delegated Authentication
• Password Reset status

One of the following actions triggers this state:

• An Okta admin selects Reset Password on the AD-sourced user's Okta profile.
• Deactivating and reactivating an AD-sourced user from Okta leaves the user in this state.

How is an Okta Active Directory user removed from one-time password mode?

To return the user to an active state, complete one of the following options:

• The user completes the password reset method selected by the Okta admin.
• The Okta admin initiates a new password reset process.
• The Okta admin disconnects the account from AD and reimports it. To disconnect AD users, follow the steps in Disconnecting Users From Active Directory, then run a full import to restore the user to the correct status.

When an Okta admin selects Reset Password on a user's profile, two options are available. Each option places the user in a different state:

Send a reset password email

Okta sends an email to the user's configured email address containing a reset link. This link allows the user to reset their AD password from Okta. This action places the user in a Recovery or Password Reset status. While the user remains in this state, the only way to initiate the password reset process is through the emailed link. This process does not reset the password in AD until the user accesses the emailed link and completes the reset. If the AD password is known, or if it is reset directly in AD to a known value, the user can authenticate to Okta with that password.

Create a temporary password

Okta displays a one-time-use password on screen so the admin can provide it to the user. This action sets the user's status to Password Expired in Okta. After using this password to sign in, Okta prompts the user to reset their AD password. AD admins can change the AD password afterward, and the password reset flow functions from Okta using the new password. If the user cannot change their password using this flow, follow the steps in Unable to Log Into Okta Using Temporary Active Directory Password.

NOTE: If the Send a reset password email option was used but the user does not have access to email, selecting Create a temporary password changes the user's status and allows the user to initiate the password reset flow using the new temporary password. These changes can also be made programmatically using the Expire Password Users API, with the tempPassword option set to True. This provides the same action as Create a temporary password.