Users assigned to an Active Directory (AD) instance with delegated authentication enabled can authenticate to Okta with an expired AD password when using a passwordless authentication factor. Okta delegates authentication to AD only if the user provides a password, allowing users to bypass the expired password restriction. Adjust the Authentication Policy or the Global Session Policy to require a password as a factor to resolve this issue.

• Okta Identity Engine (OIE)
• Active Directory (AD)
• Delegated Authentication 
• Passwordless Authentication

Users authenticating to Okta via delegated authentication with AD can authenticate with an expired AD password when using a passwordless authentication factor. Okta delegates authentication to AD only if the user provides a password. If the authentication policy does not require a password as a factor, users authenticate without using a password. For example, if an Authentication Policy requires Any 1 factor type and the user authenticates with Okta Verify, the user bypasses the password requirement and delegated authentication.

Adjust the Authentication Policy or the Global Session Policy to require a password as a factor to force delegated authentication users to use passwords during authentication. The Global Session Policy applies to all applications, including the Okta Dashboard. Authentication Policies apply to specific applications defined in the policy.

How is the Global Session Policy configured to require a password?

Navigate to the Global Session Policy in the Okta Admin Console, select the applicable policy, and update the rule to establish the user session with a password.

1. In the Okta Admin Console, navigate to Security > Global Session Policy.
2. Select the policy that applies to the user base.
3. Identify the rule and click the pencil icon to adjust the settings.
4. Select A password for the Establish the user session with setting.

5. Click Update rule.

NOTE: Updating the rule requires the admin to reauthenticate.

How is the Authentication Policy configured to require a password?

Navigate to the Authentication Policies in the Okta Admin Console, select the applicable policy and rule, and configure the user authentication settings to require a password.

1. In the Okta Admin Console, navigate to Security > Authentication Policies.
2. Choose a policy.
3. Select a rule, click Actions, and select Edit.
4. Scroll to the THEN section, identify the AND User must authenticate with setting, and select an option that requires a password:
   • Password: Requires a password.
   • Possession: Does not require a password.
   • Any 1 factor type: May require a password if it is the only available factor type.
   • Password + Another factor: Requires a password.
   • Any 2 factor types: May require a password if the password is one of only two available factor types.
   • Authentication method chain: Allows configuration to require a password.

5. Click Save.

NOTE: Saving the policy requires the admin to reauthenticate.

Related References

• Delegated authentication with Active Directory
• What Factors or Forms for Multi-Factor Authentication (MFA) Does Okta Support