<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
DelAuth User with Temporary Password is Not Prompted to Change Password
Mar 3, 2026
Directories
Overview

When Okta performs a password reset for an Okta user who authenticates via Delegated Authentication (DelAuth), the action is processed by the Okta Active Directory (AD) Agent using the permissions of the AD Agent service account. This is true for both Admin-triggered and User-triggered (Self-service) password resets.

When performing a password reset, the default behavior is to prompt the user for a new password during the next successful user logon.

 

For reference, the Okta Password Reset - Create temporary password flow of events for AD delegated authentication users includes:

  • Create a temporary password: This displays a one-time-use password on the screen so the Admin can provide it to the user.
  • This puts the user in the Password Expires status in Okta.
  • The user must change password at next logon option will be checked in AD for the User automatically.

"The user must change password at next logon" option

  • When the user logs in to Okta using the temporary password, they will be prompted to reset their AD password.
  • After the password is successfully changed in AD, The user must change password at next logon option will be automatically unchecked in AD for the user.
  • The user status will be updated to “Active” in Okta.

This article provides the root cause and solution for the issue when a DelAuth user is not prompted to change passwords during login, after a password reset has been performed.

Applies To
  • Active Directory (AD)
  • Delegated Authentication (DelAuth)
  • Password reset
Cause

If the AD user profile has the Password never expires option checked, it is impossible to require a user to change their password during a subsequent logon. This is an expected behavior in Active Directory.

In this case, if the Okta Password Reset - Create temporary password flow is used for a user who has the Password never expires option enabled in AD, then the user will not be required to change the temporary password at the next logon.

In AD, it is not possible to check both the User must change password on next logon and Password never expires options simultaneously. Attempting to do so will show a warning window:

 

You have selected 'Password never expires'. The user will not be required to change the password at the next logon.

 

Options checked Warning Message 

 

Performing this action in Okta, however, will show no such warning. Okta is unable to remove Password never expires from the userAccountControl attribute value.

 

Likewise, if the AD user profile has the option checked for User cannot change password, the user will not be prompted to change their password. This is also an expected behavior in Active Directory.

"User cannot change password option" being checked

Solution

To ensure the user is prompted to change their password on their next login, uncheck Password never expires and/or User cannot change password in the AD user profile.

Recommended content

Still looking for help?
Loading
DelAuth User with Temporary Password is Not Prompted to Change Password