Administrators can force users who authenticate to Okta via Delegated Authentication with Active Directory (AD) to change passwords upon the next logon. Administrators accomplish this by modifying the user account options within AD Users and Computers.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Delegated Authentication

How to force users using Delegated Authentication to change passwords upon next logon?

Modify the user properties in AD to require a password change at the next logon.

1. Navigate to Active Directory Users and Computers.
2. Locate the account and open the user's Properties.
3. Navigate to the Account tab.

4. Under Account options, select the User must change password at next logon checkbox.
5. Select OK or Apply.

After saving, the user will be forced to change the password upon the next Okta Delegated Authentication event or Domain Authentication.

NOTE: The password policy in Okta that applies to the user must allow password changes, and the user must meet any requirements of that policy (for example, matching the network zone or enrolled authenticator). Otherwise, the user encounters an Unable to sign in error.