An error occurs when Okta provisions users to Active Directory (AD) because the authentication source password policy is less strict than the target AD password policy. Resolve this issue by matching the password policies and re-adding the affected users to the provisioning group. When Okta provisions a user to AD, Okta creates the AD user in a deactivated state, and Okta generates the following error:
Error updating active_directory user password: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. (Exception from HRESULT: 0x800708C5)
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
- Active Directory Provisioning
When Okta provisions users to AD, Okta creates the user account in AD and sets the AD password with a random password. Okta uses the password policy of the user's current authentication source to generate a random password and places the user in password expiration mode. Therefore, the authentication source password policy must meet the password policy for the AD integration receiving the provisioned users.
For example, if users authenticate with delegated authentication from ExampleDomain1.com and Okta provisions them to ExampleDomain2.com, the password policy for ExampleDomain1.com must meet the password policy for ExampleDomain2.com. If the password policy is less strict in ExampleDomain1.com, ExampleDomain2.com rejects the random password, and Okta generates the error.
How is the Active Directory password policy error resolved?
Update the password policy to match the target directory requirements and reset the affected users to clear the provisioning errors.
- Ensure the user's current authentication source password policy meets the Minimum Length and Complexity requirements for the target AD integration.
- Remove the affected users from the provisioning group.
- Re-add the affected users to the provisioning group to clear the provisioning errors.
