This article describes how to force users who authenticate to Okta via Delegated Authentication with Active Directory (AD) to change their passwords upon their next logon.

• Active Directory (AD)
• Delegated Authentication
• Okta Classic Engine
• Okta Identity Engine (OIE)

In order to force a user to change their password upon next logon, please follow these steps:

1. Navigate to Active Directory Users and Computers.
2. Locate the user and open the user's properties.
3. Navigate to the Account tab. Under Account Options, check the box that states User must change password at next logon, and then click OK or Apply.

After saving, the user will be forced to change their password upon the next Okta Delegated Authentication event or Domain Authentication.

NOTE: The password policy in Okta that applies to the user must allow password changes, and the user must meet any requirements of that policy (for example, matching the network zone or enrolled authenticator). Otherwise, the user will encounter the error Unable to sign in.