Active Directory (AD)-sourced users receive an activation email that forces them to create an Okta password instead of using their existing AD credentials. To resolve this, administrators must enable Delegated Authentication and disable activation emails for the AD domain. This configuration allows users to authenticate with their AD credentials and proceed directly to Multi-Factor Authentication (MFA) enrollment.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD) Integrations
• Delegated Authentication

What steps bypass the password creation prompt for Active Directory-sourced users?

To allow users to authenticate with their AD credentials and proceed directly to MFA enrollment, enable Delegated Authentication, navigate to Directory Integrations, and disable the activation email.

1. Enable Delegated Authentication in the Okta Admin Console.
2. Navigate to Directory, and then select Directory Integrations.
3. Choose the integration.
4. Select the Settings tab.
5. Select the Don't send new user activation emails for this domain option.
6. Import and activate the required AD users.

After activation, users log in to Okta using their AD credentials without navigating through the email activation flow. If the organization requires MFA enrollment, Okta prompts the users to set up a second factor during their initial sign-in.