When an Okta password reset fails, a password policy that allows password resets typically does not apply to the user. Resolve this issue by modifying the password policy rules in the Admin Console to allow password changes and resets.

When performing the password reset flow, the user receives the following message:

Change password not allowed on specified user.

The System Log displays the following error:

Fired when the user's Okta password is reset.

FAILURE: Password recovery denied by policy.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Password reset
• Admin password reset
• User self-service password reset

A password policy that allows for password resets does not apply to the user performing the password reset flow or the administrator performing the password reset from the user profile.

How is the password reset policy configured?

Ensure a password policy evaluates the user and allows for password recovery by navigating to the authenticators settings and enabling the password change and reset options in the policy rule.

1. Go to Security > Authenticators.
2. Next to the Password field, select Actions > Edit.
3. Find the password policy that applies to the user based on their group membership (by default, the Everyone group).
4. Scroll down to the Rule section of the policy and select Edit.
5. Enable the Password change and Password reset options.
6. Save the rule.