<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Password Updates in Active Directory when the Password does not Meet Okta Requirements
Mar 23, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

During a password reset operation, Okta will display the password requirements configured in the Okta Password Policy, but the password value supplied must meet the password policy configured within Active Directory (AD) and will be verified by a domain controller. As a result, differences between the Okta Password Policy and the Active Directory password policy may lead to unexpected errors during password resets.

To resolve this, configure the Okta AD password policy to mirror the AD policy so the end user sees the correct criteria on the Okta password reset page.

Applies To
  • Directories
  • Active Directory (AD)
  • Directory Integrations
  • Delegated Authentication
  • Password Reset
Cause

When Delegated Authentication is active on an AD instance, Okta displays the password requirements specified in the Okta AD password policy to the user. Still, it does not enforce the configured minimum length and complexity requirements. Instead, the Okta AD Agent passes the password request attempt to a domain controller, and the AD password policy from the domain GPO or Local Security Policy enforces the password requirements during the reset.

Solution

How to avoid issues due to differences between the Okta password policy and the password policy within Active Directory?

Configure the Okta Password Policy for Active Directory to match the requirements set by the Password Group Policy Object (GPO) in AD. The settings in the Okta AD password policy must mirror the AD policy to ensure the end user sees the correct criteria on the Okta password reset page.

Review the following image to see the end-user view of the Okta Password Policy that applies to AD users:

Expired password reset prompt  
 

Review the following image to see the view of the Password Policy in the Okta Admin Console:

AD password policy

NOTE: If the options are selected, Okta enforces "Common password check" and "Use an OEL statement to block restricted content" before passing the request to the Okta AD Agent. Okta enforces the Password age settings unless the corresponding AD setting contains a value of 0. If the AD setting contains a 0, Okta ignores the setting and omits enforcement of the password age.

Related References

Recommended content

Still looking for help?
Loading
Password Updates in Active Directory when the Password does not Meet Okta Requirements