Active Directory (AD)-sourced users see the error below when attempting to set a new password via Self Service Password Recovery (SSPR), even though all policies are configured to allow it and the AD Agent service account has the necessary permissions.

Reviewing the Okta System Log shows no events for this error, and a network trace in the browser shows a "403" response on the /idp/idx/challenge/answer endpoint.

Change password is not allowed on specified user

• Self Service Password Recovery (SSPR)
• Active Directory (AD)
• Okta Identity Engine (OIE)

If all policies and permissions have been confirmed to be configured properly, a cause may be a missing feature flag that allows for AD password resets. This feature flag is directly associated with the Universal Directory SKU. If the Okta org does not have the Universal Directory SKU, then password resets are not permitted on Active Directory accounts.

Please confirm if the Universal Directory SKU is enabled for the Okta org. If unsure whether or not this SKU is active, please reach out to the Account Owner for confirmation.

If the issue remains despite confirmation that the Universal Directory SKU is active, please contact Okta Support for further assistance.

NOTE: Be sure to provide a HAR capture of a replication event when opening the support case. Details on how to capture a HAR for different browsers can be found in the Generate HTTP Archive files documentation.