<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Delegated Authentication User Does Not Receive Prompt to Change Temporary Password
May 20, 2026
Directories
All Engines
Okta Classic Engine
Okta Identity Engine
Overview

When Okta performs a password reset for a user who authenticates via Delegated Authentication (DelAuth), the Okta Active Directory (AD) Agent processes the action. If the AD user profile has the Password never expires or User cannot change password option selected, Okta does not prompt the user to change the temporary password at the next logon. Clearing these options in the AD user profile resolves this issue.

 

During a standard password reset flow, Okta creates a temporary password, sets the user to the Password Expired status in Okta, and automatically selects the User must change password at next logon option in AD.

 

"The user must change password at next logon" option

 

When the user logs in to Okta using the temporary password, Okta prompts them to reset their AD password. After a successful password change, Okta automatically clears the User must change password at next logon option and updates the user status to Active. The AD options Password never expires and User cannot change password prevent successful completion of these operations.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • Delegated Authentication (DelAuth)
  • Password Reset
Cause

If the AD user profile has the Password never expires option selected, Active Directory prevents requiring a user to change their password during a subsequent logon. In AD, selecting both the User must change password on next logon and Password never expires options simultaneously triggers a warning message:

 

You have selected 'Password never expires'. The user will not be required to change the password at the next logon.

 

Options checkedWarning Message

 

Okta does not display this warning and cannot remove the Password never expires setting from the userAccountControl attribute value. Additionally, if the AD user profile has the User cannot change password option selected, Okta does not prompt the user to change their password.

"User cannot change password option" being checked

Solution

How is the password prompt issue resolved?

 

Ensure Okta prompts the user to change their password on the next login by modifying the Active Directory user profile settings using the following steps:

 

  1. Open the Active Directory user profile.
  2. Clear the Password never expires checkbox.
  3. Clear the User cannot change password checkbox.

Recommended content

Still looking for help?
Loading
Okta Delegated Authentication User Does Not Receive Prompt to Change Temporary Password