When trying to remove a user’s password via Directory > People > [User] > Reset or Remove Password > Remove Password, the option may be unavailable or grayed out.

• Okta Identity Engine (OIE)
• Passwordless Authentication
• Multi-Factor Authentication (MFA)

The availability of the Remove Password option is determined by the user’s applicable Authenticator Enrollment Policy settings, specifically:

• If any policy assigned to the user requires the Password authenticator, the password cannot be removed.
• If all policies have the Password authenticator set to Disabled, the password cannot be removed either.
• The password can only be removed when the Password authenticator is set to Optional in the applicable enrollment policy.

These conditions ensure users retain at least one valid method of authentication and maintain account accessibility.

To enable password removal for a user:

1. Sign in to the Okta Admin Console.
2. Navigate to Security > Authenticators.
3. Select the Enrollment tab.
4. Identify and click Edit next to the enrollment policy that applies to the affected user.
5. Locate the Password authenticator in the policy configuration.
6. Change the setting from Required or Disabled to Optional.
7. Click Save to apply the changes.

8. Once the password requirement is set to Optional, navigate to Directory > People.
9. Search for and select the affected user.
10. Click Reset or Remove Password.
11. The Remove Password option should now be available.

NOTE:

• To maintain login access after password removal, users must be enrolled in at least one other authentication method (for example, Okta Verify, WebAuthn, or Email).
• Modifying the password requirement in a policy may affect other users governed by the same policy. Therefore, it is recommended to review the policy's scope before making changes.