<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Password Expired User Account Status when Expired via Password Policy
Jul 17, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

When an Okta password policy is configured to automatically expire a user's password after a specific time period, the user's account status remains "Active" until they attempt to log in.

This means the password expiration policy does not automatically change the account status to "Password Expired" until the user actively tries to access their account.

Applies To
  • Password Policies
  • Password Expiry
  • Password Expired after a certain period
Cause

This behavior is a default setting in Okta and cannot be modified at this time. The system is designed to wait for the user's login attempt before updating the account status based on the password expiration policy.

Solution

The password expiration policy checks against the user's Password Last Changed date. This information can be found by following the steps outlined in:

 

Additional Considerations:

  • Password Policy Configuration

While the default behavior is to wait for a login attempt, the password policy can be configured to set other account statuses (for example, Locked) under specific conditions.

  • User Communication

Users must be informed of the organization's password policies, including information about password expiration and the grace period before account status changes.

  • Password Reset Options

Ensure that users have convenient options for resetting their passwords when they expire, such as self-service password reset portals or administrative assistance.

  • Passwordless behaviour with Fast Pass

For passwordless authentication with Fast Pass users will not be prompted for password reset. This is due to the password evaluation being done only when a password is being used to log in. Otherwise, the password will not expire if the user is not using it to log in to Okta. This was put in place as if the password would expire even if the user is only using FastPass, which will create a very disconnected authentication experience (for example, users will suddenly start questioning why they are being asked for a password reset when they have been using FastPass to log in to Okta). To ensure users update their passwords, set up an automation to notify them of the requirement to change their passwords.

NOTE: By understanding the default behavior and implementing appropriate password policies and communication strategies, it is possible to effectively manage password expiration and maintain account security in an Okta organization.

 

Related References

Recommended content

Still looking for help?
Loading
Password Expired User Account Status when Expired via Password Policy