This article explains the expected behavior when a new Okta user receives an activation email before being associated with an Active Directory integration with Delegated Authentication enabled.
- Active Directory (AD)
- Directories
- Delegate Authentication
- Activation
- First-time login
Active Directory Password Sync and Delegated Authentication apply only to Administrators who send an activation email to End users before associating them with AD. The End user uses an email activation link to log in after an association with AD has been made. This login does not enable a Delegate Authentication request to check the AD object, which is required to prompt for a password change in the Okta Dashboard.
When an Okta user is associated with a delegated authentication-enabled domain, Okta does not store the user's password. If the user creates a password via the activation email they received before being associated with Active Directory, the password will not sync with Active Directory. To restore delegated authentication, a password reset from either Okta or Active Directory must be performed by the user or an Administrator.
NOTE: To continue using activation emails and immediately have users prompted to change their password, Password Sync should be used instead of Delegate Authentication. See Active Directory Password Sync and Delegated Authentication for more details.
