Admins may see the following Org2Org Provisioning Error for some AD DelAuth Authenticated Users:
FAILURE: Api validation failed: password (password: Password requirements were not met. Password requirements: at least 8 characters, a lowercase letter, an uppercase letter, a number, a symbol.)
- Org2Org Provisioning
- Okta Integration Network (OIN)
- Password Sync
- AD DelAuth Users
This is due to the more complex Password Policy requirements within Okta than the Password Policy requirements in Active Directory, resulting in user's passwords not meeting the requirements for Okta Org2Org Provisioning. In most cases, the default Active Directory Password Policy is set to only require 3 characters from a total of 5 categories, whereas the Okta Policies typically require 4 characters from 4 categories.
| AD | Okta |
|
|
Per Okta Documentation, AD sets and enforces these requirements for AD Source users. Okta settings do not trigger enforcement, which explains why the AD DelAuth users' passwords may not fulfill the password requirement during Org2Org Provisioning.
The workaround solution is to work with the user directly to create a new password meeting the Okta Password Policy requirements. This can be performed by the end-user themself, triggered by the AD Admin via Active Directory or the Okta Password Reset Flow.
The proposed permanent solution is to modify the Microsoft password policy GPO, create a custom password policy, and password filter in Active Directory that meets the requirements of the Okta Password Policy, for more information, please see the Related References section. Okta Support highly suggests working with Microsoft Support to implement these changes.
