Administration
Empowering New Active Directory Users to Set Passwords Securely with Workflows
Joe Witt
Mar 06 2025

Seamless Onboarding: Empowering New Active Directory Users to Set Passwords Securely with Okta Workflows


Ensuring new users can securely set their passwords upon creation is crucial in identity management. This blog post explores how to leverage Okta Workflows to enable password resets during the Active Directory (AD) import process, eliminating the need to share initial passwords through insecure methods like emails or sticky notes.


Understanding the Challenge


Traditionally, when new identities are onboarded from AD into Okta, initial passwords are often communicated via insecure channels, increasing the risk of unauthorized access. This approach not only compromises security but also undermines user confidence in the system.


Leveraging Okta Workflows for Secure Onboarding

By utilizing Okta Workflows, organizations can automate the password reset process during user onboarding, ensuring that initial passwords are not exposed. This method enhances security and streamlines the onboarding experience.


Implementation Overview

  1. Triggering the Workflow: Configure Okta Workflows to initiate a password reset when a new user is imported from AD. Optionally add users to a special Okta group to allow password reset via only an email link.
  2. Generating a Secure Reset Link: The workflow generates a password reset link, ensuring that the initial password is not exposed.
  3. Notifying the User: An automated email is sent to the new user with the reset link and instructions, guiding them to set their password securely.
  4. Removing User from Okta Group: Optionally remove the user from Okta group. This is important if password policies require the user to leverage an additional factor than just email for password reset (i.e. security question/answer, or other Okta factor)

Benefits of This Approach

  • Enhanced Security: Eliminates the exposure of initial passwords through insecure channels.
  • Improved User Experience: Provides a seamless and secure method for users to set their passwords.
  • Operational Efficiency: Reduces the administrative overhead associated with manual password distribution and resets.

Getting Started

Step 1:

Create a new Okta Group. The group is assigned as the first step in the workflow setup. The groupId can be found in the url after the group is created.



Step 2:

Create the following workflows. 

AD User Send Password Reset

Remove User From Group After Password Reset

Step 3:

Add the groupId from step 1 to the flows.

Step 4:

Add the AD appId to the “AD User Send Password Reset” flow. To obtain the appId go to your AD directory configuration. The url will contain the appId required for the flow configuration.

Step 5:

In your AD environment, add an attribute to track the user's personal email address.  Map that attribute to Okta’s secondary email attribute. You can optionally mark the attribute as read only so the user can not change the value for security purposes. 

Step 6:

Add a test user to AD and manually run import.  

Step 7:

Check the flow history to ensure the flow is invoked. Next check the user's inbox for the password reset email. Click the link. This will take the user to the out of the box reset flow. The user will create a password, if mfa enrollment is required, they will complete required authenticator enrollment then be redirected to the Okta dashboard. 

Step 8:

After the user resets their password, the second flow will be executed to remove the user from the group created in step 1. Confirm the removal.


Conclusion

Implementing this automated password reset process during AD user imports not only strengthens security but also enhances the overall efficiency of user onboarding. By leveraging Okta Workflows, organizations can ensure that new users receive the keys to their digital kingdom securely and conveniently.


Helpful Resources

Click here for additional Okta Workflow material

Click here for Active Directory setup and configuration 


Need help with the setup in this blog or similar type flows click here to contact Okta Professional Services.

  • 1 Like
  • 0 Comments
  • 696 Views
Skip Feed

Nothing here yet?

Log in to post to this feed.

End of Feed
Nothing here yet?Log in to post to this feed.