<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Users Are Able to Authenticate to Okta with an Expired Active Directory Password
Oct 28, 2025
Directories
Okta Identity Engine
Overview

This article explains why users assigned to Active Directory (AD) with delegated authentication enabled can authenticate to Okta even when their AD password has expired, and how to prevent this from happening in the future.

Applies To
  • Okta Identity Engine (OIE)
  • Active Directory
  • Delegated Authentication 
  • Passwordless Authentication
Cause

Users who authenticate to Okta via delegated authentication with Active Directory can still authenticate to Okta with an expired AD password if they are using a passwordless authentication factor. Okta will only delegate authentication to Active Directory if a password is provided. Therefore, if the authentication policy does not require a password as a factor, then users can authenticate without using their password.

  • For example, if an Authentication Policy is configured to require "Any 1 factor type" and the user chooses to authenticate with Okta Verify, the user would not use their password, and delegated authentication would be bypassed.
Solution

To force delegated authentication users to use their passwords during authentication, adjust the Authentication Policy or the Global Session Policy to require a Password as a factor. The Global Session Policy will apply to all applications (including the Okta Dashboard), while the Authentication Policies will apply to specific applications outlined in the policy. 

 

How to adjust the Global Session Policy to require a password

  1. In the Okta Admin Console, navigate to Security > Global Session Policy.
  2. Select the policy that applies to the user base.
  3. Identify the rule, and click on the pencil icon to adjust.
  4. For the Establish the user session with setting, select A password.

Establish the user session with setting

  1. Click Update rule (this will require the admin to reauthenticate). 

 

How to adjust an Authentication Policy to require a password

  1. In the Okta Admin Console, navigate to Security > Authentication Policies.
  2. Choose a policy.
  3. Select a rule, click Actions, then Edit.
  4. Scroll down to the THEN section, identify the setting AND User must authenticate with, and select an option that requires a password. 
    • Password - requires a password.
    • Possession - does not require a password.
    • Any 1 factor type - may require a password if that is the only configured factor type.
    • Password + Another factor - requires a password.
    • Any 2 factor types - may require a password if the password is one of only two available factor types.
    • Authentication method chain - can be configured to require a password. 

Authentication options

  1. Click Save (this will require the admin to reauthenticate). 

 

Related References

Recommended content

Still looking for help?
Loading
Users Are Able to Authenticate to Okta with an Expired Active Directory Password