<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Unable to Provision Users to Active Directory - Error Updating Active Directory User Password
Oct 24, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This document describes how to troubleshoot the error:

Error updating active_directory user password: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. (Exception from HRESULT: 0x800708C5)

This error is received when a user is being provisioned to Active Directory, and the affected user's authentication source's password policy is less strict than the Active Directory's password policy to which the user is being provisioned. 

Other side effects include that the Active Directory user was created but is in a deactivated state. 

Error Messages  

Applies To
  • Active Directory (AD)
  • Active Directory Provisioning
Cause

When an org is provisioning users to Active Directory, Okta will create the user account in Active Directory and set the Active Directory password with a random password.


Okta will use the user's authentication source's password policy to generate a random password and place the user in password expiration mode. Therefore, it is critical that the authentication source's password policy meets the password policy for the Active Directory integration to which the users are being provisioned. 

  • For example, if users authenticate with delegated authentication from ExampleDomain1.com and are being provisioned to ExampleDomain2.com, the password policy for ExampleDomain1.com must meet the Password policy for ExampleDomain2.com. If the Password policy is less strict in ExampleDomain1.com, then the random password will not be accepted by ExampleDomain2.com, and the user will receive the errors listed in the Overview. Additionally, when the user logs in, the issue will not be resolved. The user must be removed from the provisioning group and re-added to remediate the issue.
Solution

To resolve this issue, ensure the user's current authentication source's password policies match the Minimum Length and Complexity requirements for the AD Integration that the user is being provisioned to. 

Current affected users will need to be removed and re-added to the provisioning group to clear the provisioning errors. 

Recommended content

Still looking for help?
Loading
Unable to Provision Users to Active Directory - Error Updating Active Directory User Password