Deactivated End Users Are Able to Enroll in Okta Verify
Jun 9, 2025
Devices and Mobility
Okta Identity Engine
Overview
This article reviews a scenario where a user sourced from Active Directory (AD) can complete Okta Verify enrollment after being deactivated in AD if a QR code was generated before deactivation. The enrollment process proceeds even though the user is no longer active in the identity source. However, access to Okta-protected applications remains blocked.
Applies To
- Okta Verify
- Active Directory Sourced Users
- Android
- iOS
- macOS
- Windows
- Okta Identity Engine (OIE)
Cause
When a QR code is generated for Okta Verify enrollment, it remains valid for a limited time, even after the user is deactivated in Active Directory. If the user scans the code before it expires, enrollment is successful, but access to apps is denied due to deactivation.
Solution
Follow these steps to remove unauthorized or unwanted Okta Verify enrollments:
- Open the Okta Admin Console.
- Navigate to Directory > People.
- Search for the affected user in the universal directory, and click the user name to open the profile.
- Click the More Actions drop-down, and choose Reset Authenticators.
- Select the Okta Verify enrollment and click Reset Selected Authenticators to delete the device association.
